From 6d33d20831a2996d18e977b5551fa63d075a5939 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Mar 2026 16:30:22 +0000 Subject: [PATCH 1/2] refactor: add GH_AW_HOME constants and replace hardcoded /opt/gh-aw paths (partial) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/constants/constants.go | 8 +++- pkg/workflow/compiler_safe_outputs_steps.go | 10 ++--- pkg/workflow/compiler_yaml_ai_execution.go | 16 +++---- pkg/workflow/compiler_yaml_helpers.go | 8 ++-- pkg/workflow/git_configuration_steps.go | 2 +- pkg/workflow/mcp_config_builtin.go | 2 +- pkg/workflow/mcp_renderer.go | 2 +- pkg/workflow/mcp_renderer_builtin.go | 2 +- pkg/workflow/mcp_scripts_generator.go | 2 +- pkg/workflow/mcp_scripts_parser.go | 2 +- pkg/workflow/mcp_setup_generator.go | 46 ++++++++++----------- pkg/workflow/pr.go | 8 ++-- pkg/workflow/prompt_constants.go | 2 +- pkg/workflow/redact_secrets.go | 4 +- pkg/workflow/repo_memory.go | 6 +-- pkg/workflow/runtime_step_generator.go | 2 +- pkg/workflow/safe_outputs_steps.go | 8 ++-- pkg/workflow/setup_action_paths.go | 32 +++++++++++++- pkg/workflow/step_order_validation.go | 2 +- pkg/workflow/threat_detection.go | 16 +++---- 20 files changed, 107 insertions(+), 73 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 04347ffb512..fdaf0147cf5 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -443,9 +443,13 @@ const DefaultAlpineImage = "alpine:latest" // This image is built during workflow execution and includes the gh-aw binary and dependencies const DevModeGhAwImage = "localhost/gh-aw:dev" +// GhAwHomeDefault is the default value for GH_AW_HOME when the env var is not set +const GhAwHomeDefault = "/opt/gh-aw" + // DefaultGhAwMount is the mount path for the gh-aw directory in containerized MCP servers -// The gh-aw binary and supporting files are mounted read-only from /opt/gh-aw -const DefaultGhAwMount = "/opt/gh-aw:/opt/gh-aw:ro" +// Uses shell expansion so docker gets the resolved path at runtime. +// GH_AW_HOME is always set in the job-level env, so no fallback is needed here. +const DefaultGhAwMount = "\\${GH_AW_HOME}:\\${GH_AW_HOME}:ro" // DefaultGhBinaryMount is the mount path for the gh CLI binary in containerized MCP servers // The gh CLI is required for agentic-workflows MCP server to run gh commands diff --git a/pkg/workflow/compiler_safe_outputs_steps.go b/pkg/workflow/compiler_safe_outputs_steps.go index a218fab6b36..1bd14f97c29 100644 --- a/pkg/workflow/compiler_safe_outputs_steps.go +++ b/pkg/workflow/compiler_safe_outputs_steps.go @@ -158,13 +158,13 @@ func (c *Compiler) buildConsolidatedSafeOutputStep(data *WorkflowData, config Sa // Use require mode if ScriptName is set, otherwise inline the bundled script if config.ScriptName != "" { // Require mode: Use setup_globals helper - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s.cjs');\n", config.ScriptName)) + steps = append(steps, fmt.Sprintf(" const { main } = require("+JsRequireGhAw("actions/%s.cjs")+");\n", config.ScriptName)) steps = append(steps, " await main();\n") } else { // Inline JavaScript: Use setup_globals helper - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") // Inline mode: embed the bundled script directly formattedScript := FormatJavaScriptForYAML(config.Script) @@ -437,9 +437,9 @@ func (c *Compiler) buildHandlerManagerStep(data *WorkflowData) []string { c.addSafeOutputGitHubTokenForConfig(&steps, data, configToken) steps = append(steps, " script: |\n") - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, " const { main } = require('"+SetupActionDestination+"/safe_output_handler_manager.cjs');\n") + steps = append(steps, " const { main } = require("+JsRequireGhAw("actions/safe_output_handler_manager.cjs")+");\n") steps = append(steps, " await main();\n") return steps diff --git a/pkg/workflow/compiler_yaml_ai_execution.go b/pkg/workflow/compiler_yaml_ai_execution.go index c0ac972ff18..07c8aaa504b 100644 --- a/pkg/workflow/compiler_yaml_ai_execution.go +++ b/pkg/workflow/compiler_yaml_ai_execution.go @@ -47,10 +47,10 @@ func (c *Compiler) generateLogParsing(yaml *strings.Builder, engine CodingAgentE yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/" + parserScriptName + ".cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/"+parserScriptName+".cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -65,10 +65,10 @@ func (c *Compiler) generateMCPScriptsLogParsing(yaml *strings.Builder) { yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load mcp-scripts log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/parse_mcp_scripts_logs.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -83,10 +83,10 @@ func (c *Compiler) generateMCPGatewayLogParsing(yaml *strings.Builder) { yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load MCP gateway log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/parse_mcp_gateway_log.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -108,7 +108,7 @@ func (c *Compiler) generateStopMCPGateway(yaml *strings.Builder, data *WorkflowD yaml.WriteString(" GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" bash /opt/gh-aw/actions/stop_mcp_gateway.sh \"$GATEWAY_PID\"\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/stop_mcp_gateway.sh \"$GATEWAY_PID\"\n") } // generateAgentStepSummaryAppend generates a step that appends the agent's GITHUB_STEP_SUMMARY @@ -120,5 +120,5 @@ func (c *Compiler) generateAgentStepSummaryAppend(yaml *strings.Builder) { yaml.WriteString(" - name: Append agent step summary\n") yaml.WriteString(" if: always()\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/append_agent_step_summary.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/append_agent_step_summary.sh\n") } diff --git a/pkg/workflow/compiler_yaml_helpers.go b/pkg/workflow/compiler_yaml_helpers.go index 9b65312428a..da7334b66b4 100644 --- a/pkg/workflow/compiler_yaml_helpers.go +++ b/pkg/workflow/compiler_yaml_helpers.go @@ -218,11 +218,11 @@ func generatePlaceholderSubstitutionStep(yaml *strings.Builder, expressionMappin yaml.WriteString(indent + " script: |\n") // Use setup_globals helper to make GitHub Actions objects available globally - yaml.WriteString(indent + " const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(indent + " const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(indent + " setupGlobals(core, github, context, exec, io);\n") yaml.WriteString(indent + " \n") // Use require() to load script from copied files - yaml.WriteString(indent + " const substitutePlaceholders = require('" + SetupActionDestination + "/substitute_placeholders.cjs');\n") + yaml.WriteString(indent + " const substitutePlaceholders = require(" + JsRequireGhAw("actions/substitute_placeholders.cjs") + ");\n") yaml.WriteString(indent + " \n") yaml.WriteString(indent + " // Call the substitution function\n") yaml.WriteString(indent + " return await substitutePlaceholders({\n") @@ -354,9 +354,9 @@ func generateGitHubScriptWithRequire(scriptPath string) string { var script strings.Builder // Use the setup_globals helper to store GitHub Actions objects in global scope - script.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + script.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") script.WriteString(" setupGlobals(core, github, context, exec, io);\n") - script.WriteString(" const { main } = require('" + SetupActionDestination + "/" + scriptPath + "');\n") + script.WriteString(" const { main } = require(" + JsRequireGhAw("actions/"+scriptPath) + ");\n") script.WriteString(" await main();\n") return script.String() diff --git a/pkg/workflow/git_configuration_steps.go b/pkg/workflow/git_configuration_steps.go index 62d21caeb8b..9173389b534 100644 --- a/pkg/workflow/git_configuration_steps.go +++ b/pkg/workflow/git_configuration_steps.go @@ -75,6 +75,6 @@ func (c *Compiler) generateGitCredentialsCleanerStep() []string { return []string{ " - name: Clean git credentials\n", " continue-on-error: true\n", - " run: bash /opt/gh-aw/actions/clean_git_credentials.sh\n", + " run: bash " + GhAwHome + "/actions/clean_git_credentials.sh\n", } } diff --git a/pkg/workflow/mcp_config_builtin.go b/pkg/workflow/mcp_config_builtin.go index 35e7500619c..974fb1b7480 100644 --- a/pkg/workflow/mcp_config_builtin.go +++ b/pkg/workflow/mcp_config_builtin.go @@ -211,7 +211,7 @@ func renderAgenticWorkflowsMCPConfigWithOptions(yaml *strings.Builder, isLast bo // Release mode: Use minimal Alpine image with mounted binaries // The gh-aw binary is mounted from /opt/gh-aw and executed directly // Pass --validate-actor flag to enable role-based access control - entrypoint = "/opt/gh-aw/gh-aw" + entrypoint = GhAwHome + "/gh-aw" entrypointArgs = []string{"mcp-server", "--validate-actor"} // Mount gh-aw binary, gh CLI binary, workspace, and temp directory mounts = []string{constants.DefaultGhAwMount, constants.DefaultGhBinaryMount, constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go index 9a2d1bfbd5e..30a8f97f4b1 100644 --- a/pkg/workflow/mcp_renderer.go +++ b/pkg/workflow/mcp_renderer.go @@ -206,7 +206,7 @@ func RenderJSONMCPConfig( delimiter := GenerateHeredocDelimiter("MCP_CONFIG") // Write the configuration to the YAML output - yaml.WriteString(" cat << " + delimiter + " | bash /opt/gh-aw/actions/start_mcp_gateway.sh\n") + yaml.WriteString(" cat << " + delimiter + " | bash " + GhAwHome + "/actions/start_mcp_gateway.sh\n") yaml.WriteString(generatedConfig) yaml.WriteString(" " + delimiter + "\n") diff --git a/pkg/workflow/mcp_renderer_builtin.go b/pkg/workflow/mcp_renderer_builtin.go index 98c15a99e24..97be108f8be 100644 --- a/pkg/workflow/mcp_renderer_builtin.go +++ b/pkg/workflow/mcp_renderer_builtin.go @@ -262,7 +262,7 @@ func (r *MCPConfigRendererUnified) renderAgenticWorkflowsTOML(yaml *strings.Buil mounts = []string{constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} } else { // Release mode: Use minimal Alpine image with mounted binaries - entrypoint = "/opt/gh-aw/gh-aw" + entrypoint = GhAwHome + "/gh-aw" entrypointArgs = []string{"mcp-server", "--validate-actor"} // Mount gh-aw binary, gh CLI binary, workspace, and temp directory mounts = []string{constants.DefaultGhAwMount, constants.DefaultGhBinaryMount, constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} diff --git a/pkg/workflow/mcp_scripts_generator.go b/pkg/workflow/mcp_scripts_generator.go index b109033d4ec..780b90c8d9c 100644 --- a/pkg/workflow/mcp_scripts_generator.go +++ b/pkg/workflow/mcp_scripts_generator.go @@ -164,7 +164,7 @@ const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: ` + GhAwHomeJS + ` + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); diff --git a/pkg/workflow/mcp_scripts_parser.go b/pkg/workflow/mcp_scripts_parser.go index 3da1e1b0b41..d634618ac92 100644 --- a/pkg/workflow/mcp_scripts_parser.go +++ b/pkg/workflow/mcp_scripts_parser.go @@ -42,7 +42,7 @@ const ( ) // MCPScriptsDirectory is the directory where mcp-scripts files are generated -const MCPScriptsDirectory = "/opt/gh-aw/mcp-scripts" +const MCPScriptsDirectory = GhAwHome + "/mcp-scripts" // HasMCPScripts checks if mcp-scripts are configured func HasMCPScripts(mcpScripts *MCPScriptsConfig) bool { diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 6b17d954f2f..568a14d877f 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -184,12 +184,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" fi\n") yaml.WriteString(" gh aw --version\n") yaml.WriteString(" # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization\n") - yaml.WriteString(" mkdir -p /opt/gh-aw\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "\n") yaml.WriteString(" GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1)\n") yaml.WriteString(" if [ -n \"$GH_AW_BIN\" ] && [ -f \"$GH_AW_BIN\" ]; then\n") - yaml.WriteString(" cp \"$GH_AW_BIN\" /opt/gh-aw/gh-aw\n") - yaml.WriteString(" chmod +x /opt/gh-aw/gh-aw\n") - yaml.WriteString(" echo \"Copied gh-aw binary to /opt/gh-aw/gh-aw\"\n") + yaml.WriteString(" cp \"$GH_AW_BIN\" " + GhAwHome + "/gh-aw\n") + yaml.WriteString(" chmod +x " + GhAwHome + "/gh-aw\n") + yaml.WriteString(" echo \"Copied gh-aw binary to " + GhAwHome + "/gh-aw\"\n") yaml.WriteString(" else\n") yaml.WriteString(" echo \"::error::Failed to find gh-aw binary for MCP server\"\n") yaml.WriteString(" exit 1\n") @@ -206,14 +206,14 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // AND exceeds 21,000 characters total. yaml.WriteString(" - name: Write Safe Outputs Config\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" mkdir -p /opt/gh-aw/safeoutputs\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "/safeoutputs\n") yaml.WriteString(" mkdir -p /tmp/gh-aw/safeoutputs\n") yaml.WriteString(" mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs\n") // Write the safe-outputs configuration to config.json delimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_CONFIG") if safeOutputConfig != "" { - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/config.json << '" + delimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/config.json << '" + delimiter + "'\n") yaml.WriteString(" " + safeOutputConfig + "\n") yaml.WriteString(" " + delimiter + "\n") } @@ -261,7 +261,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" run: |\n") toolsMetaDelimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_TOOLS_META") - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/tools_meta.json << '" + toolsMetaDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/tools_meta.json << '" + toolsMetaDelimiter + "'\n") // Write each line of the compact meta JSON with proper YAML indentation for line := range strings.SplitSeq(toolsMetaJSON, "\n") { yaml.WriteString(" " + line + "\n") @@ -269,7 +269,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" " + toolsMetaDelimiter + "\n") validationDelimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_VALIDATION") - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/validation.json << '" + validationDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/validation.json << '" + validationDelimiter + "'\n") // Write each line of the indented JSON with proper YAML indentation for line := range strings.SplitSeq(validationConfigJSON, "\n") { yaml.WriteString(" " + line + "\n") @@ -279,7 +279,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Generate the final tools.json at runtime from the source file in the actions folder. // generate_safe_outputs_tools.cjs reads safe_outputs_tools.json (deployed by actions/setup), // applies the meta overrides from tools_meta.json, and writes tools.json. - yaml.WriteString(" node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs\n") + yaml.WriteString(" node " + GhAwHome + "/actions/generate_safe_outputs_tools.cjs\n") // Note: The MCP server entry point (mcp-server.cjs) is now copied by actions/setup // from safe-outputs-mcp-server.cjs - no need to generate it here @@ -313,8 +313,8 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" DEBUG: '*'\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json\n") + yaml.WriteString(" GH_AW_SAFE_OUTPUTS_TOOLS_PATH: " + GhAwHomeExpr + "/safeoutputs/tools.json\n") + yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG_PATH: " + GhAwHomeExpr + "/safeoutputs/config.json\n") yaml.WriteString(" GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs\n") yaml.WriteString(" run: |\n") @@ -328,7 +328,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" \n") // Call the bundled shell script to start the server - yaml.WriteString(" bash /opt/gh-aw/actions/start_safe_outputs_server.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/start_safe_outputs_server.sh\n") yaml.WriteString(" \n") } @@ -338,12 +338,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Step 1: Write config files (JavaScript files are now copied by actions/setup) yaml.WriteString(" - name: Setup MCP Scripts Config\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" mkdir -p /opt/gh-aw/mcp-scripts/logs\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "/mcp-scripts/logs\n") // Generate the tools.json configuration file toolsJSON := generateMCPScriptsToolsConfig(workflowData.MCPScripts) toolsDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_TOOLS") - yaml.WriteString(" cat > /opt/gh-aw/mcp-scripts/tools.json << '" + toolsDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/mcp-scripts/tools.json << '" + toolsDelimiter + "'\n") for line := range strings.SplitSeq(toolsJSON, "\n") { yaml.WriteString(" " + line + "\n") } @@ -352,12 +352,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Generate the MCP server entry point mcpScriptsMCPServer := generateMCPScriptsMCPServerScript(workflowData.MCPScripts) serverDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_SERVER") - yaml.WriteString(" cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << '" + serverDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/mcp-scripts/mcp-server.cjs << '" + serverDelimiter + "'\n") for _, line := range FormatJavaScriptForYAML(mcpScriptsMCPServer) { yaml.WriteString(line) } yaml.WriteString(" " + serverDelimiter + "\n") - yaml.WriteString(" chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs\n") + yaml.WriteString(" chmod +x " + GhAwHome + "/mcp-scripts/mcp-server.cjs\n") yaml.WriteString(" \n") // Step 2: Generate tool files (js/py/sh) @@ -374,7 +374,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // JavaScript tool toolScript := generateMCPScriptJavaScriptToolScript(toolConfig) jsDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_JS_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.cjs << '%s'\n", toolName, jsDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.cjs << '%s'\n", toolName, jsDelimiter) for _, line := range FormatJavaScriptForYAML(toolScript) { yaml.WriteString(line) } @@ -383,27 +383,27 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Shell script tool toolScript := generateMCPScriptShellToolScript(toolConfig) shDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_SH_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.sh << '%s'\n", toolName, shDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.sh << '%s'\n", toolName, shDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } fmt.Fprintf(yaml, " %s\n", shDelimiter) - fmt.Fprintf(yaml, " chmod +x /opt/gh-aw/mcp-scripts/%s.sh\n", toolName) + fmt.Fprintf(yaml, " chmod +x "+GhAwHome+"/mcp-scripts/%s.sh\n", toolName) } else if toolConfig.Py != "" { // Python script tool toolScript := generateMCPScriptPythonToolScript(toolConfig) pyDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_PY_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.py << '%s'\n", toolName, pyDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.py << '%s'\n", toolName, pyDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } fmt.Fprintf(yaml, " %s\n", pyDelimiter) - fmt.Fprintf(yaml, " chmod +x /opt/gh-aw/mcp-scripts/%s.py\n", toolName) + fmt.Fprintf(yaml, " chmod +x "+GhAwHome+"/mcp-scripts/%s.py\n", toolName) } else if toolConfig.Go != "" { // Go script tool toolScript := generateMCPScriptGoToolScript(toolConfig) goDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_GO_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.go << '%s'\n", toolName, goDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.go << '%s'\n", toolName, goDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } @@ -463,7 +463,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" \n") // Call the bundled shell script to start the server - yaml.WriteString(" bash /opt/gh-aw/actions/start_mcp_scripts_server.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/start_mcp_scripts_server.sh\n") yaml.WriteString(" \n") } diff --git a/pkg/workflow/pr.go b/pkg/workflow/pr.go index 32d1f63bc07..0802b70c2d7 100644 --- a/pkg/workflow/pr.go +++ b/pkg/workflow/pr.go @@ -66,16 +66,16 @@ func (c *Compiler) generatePRReadyForReviewCheckout(yaml *strings.Builder, data if useRequire { // Use require() to load script from copied files using setup_globals helper - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('" + SetupActionDestination + "/checkout_pr_branch.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/checkout_pr_branch.cjs") + ");\n") yaml.WriteString(" await main();\n") } else { // Inline JavaScript: Attach GitHub Actions builtin objects to global scope before script execution - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript for checking out the PR branch - WriteJavaScriptToYAML(yaml, "const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main();") + WriteJavaScriptToYAML(yaml, "const { main } = require("+JsRequireGhAw("actions/checkout_pr_branch.cjs")+"); await main();") } } diff --git a/pkg/workflow/prompt_constants.go b/pkg/workflow/prompt_constants.go index 16c2015c22b..e5c08c889b7 100644 --- a/pkg/workflow/prompt_constants.go +++ b/pkg/workflow/prompt_constants.go @@ -4,7 +4,7 @@ import _ "embed" // Prompt file paths at runtime (copied by setup action to /opt/gh-aw/prompts) const ( - promptsDir = "/opt/gh-aw/prompts" + promptsDir = GhAwHome + "/prompts" prContextPromptFile = "pr_context_prompt.md" tempFolderPromptFile = "temp_folder_prompt.md" playwrightPromptFile = "playwright_prompt.md" diff --git a/pkg/workflow/redact_secrets.go b/pkg/workflow/redact_secrets.go index 95a3e5a1b05..b9485b2c7cf 100644 --- a/pkg/workflow/redact_secrets.go +++ b/pkg/workflow/redact_secrets.go @@ -79,9 +79,9 @@ func (c *Compiler) generateSecretRedactionStep(yaml *strings.Builder, yamlConten // Load redact_secrets script from external file // Use setupGlobals helper to attach GitHub Actions builtin objects to global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/redact_secrets.cjs") + ");\n") yaml.WriteString(" await main();\n") // Add environment variables diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index 2e37ed9e92a..63674ee8842 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -543,7 +543,7 @@ func generateRepoMemorySteps(builder *strings.Builder, data *WorkflowData) { fmt.Fprintf(builder, " TARGET_REPO: %s\n", targetRepo) fmt.Fprintf(builder, " MEMORY_DIR: %s\n", memoryDir) fmt.Fprintf(builder, " CREATE_ORPHAN: %t\n", memory.CreateOrphan) - builder.WriteString(" run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh\n") + builder.WriteString(" run: bash " + GhAwHome + "/actions/clone_repo_memory_branch.sh\n") } } @@ -666,13 +666,13 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna if useRequire { // Use require() to load script from copied files using setup_globals helper - step.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") step.WriteString(" const { main } = require('" + SetupActionDestination + "/push_repo_memory.cjs');\n") step.WriteString(" await main();\n") } else { // Inline JavaScript: Attach GitHub Actions builtin objects to global scope before script execution - step.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript script with proper indentation formattedScript := FormatJavaScriptForYAML("const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main();") diff --git a/pkg/workflow/runtime_step_generator.go b/pkg/workflow/runtime_step_generator.go index 41972a3837e..5f132a7efca 100644 --- a/pkg/workflow/runtime_step_generator.go +++ b/pkg/workflow/runtime_step_generator.go @@ -185,7 +185,7 @@ func GenerateMultiSecretValidationStep(secretNames []string, engineName, docsURL stepLines := []string{ stepName, " id: validate-secret", - " run: /opt/gh-aw/actions/validate_multi_secret.sh " + scriptArgsStr, + " run: " + GhAwHome + "/actions/validate_multi_secret.sh " + scriptArgsStr, " env:", } diff --git a/pkg/workflow/safe_outputs_steps.go b/pkg/workflow/safe_outputs_steps.go index fc2290331dd..41827b3d221 100644 --- a/pkg/workflow/safe_outputs_steps.go +++ b/pkg/workflow/safe_outputs_steps.go @@ -179,9 +179,9 @@ func (c *Compiler) buildGitHubScriptStep(data *WorkflowData, config GitHubScript // Use require() if ScriptFile is specified, otherwise inline the script if config.ScriptFile != "" { - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s');\n", config.ScriptFile)) + steps = append(steps, fmt.Sprintf(" const { main } = require("+JsRequireGhAw("actions/%s")+");\n", config.ScriptFile)) steps = append(steps, " await main();\n") } else { // Add the formatted JavaScript script (inline) @@ -232,9 +232,9 @@ func (c *Compiler) buildGitHubScriptStepWithoutDownload(data *WorkflowData, conf // Use require() if ScriptFile is specified, otherwise inline the script if config.ScriptFile != "" { - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s');\n", config.ScriptFile)) + steps = append(steps, fmt.Sprintf(" const { main } = require("+JsRequireGhAw("actions/%s")+");\n", config.ScriptFile)) steps = append(steps, " await main();\n") } else { // Add the formatted JavaScript script (inline) diff --git a/pkg/workflow/setup_action_paths.go b/pkg/workflow/setup_action_paths.go index 16736ac89da..62b37dea736 100644 --- a/pkg/workflow/setup_action_paths.go +++ b/pkg/workflow/setup_action_paths.go @@ -1,5 +1,35 @@ package workflow +import "fmt" + +// GhAwHome is the shell expression for GH_AW_HOME. +// Use this in bash `run:` contexts where shell variable expansion occurs. +// The job-level env sets GH_AW_HOME to /opt/gh-aw by default. +const GhAwHome = "${GH_AW_HOME}" + +// GhAwHomeJS is the JavaScript expression for GH_AW_HOME. +// Use this inside require() or other JS expressions in github-script steps. +// The job-level env sets GH_AW_HOME to /opt/gh-aw by default. +const GhAwHomeJS = "process.env.GH_AW_HOME" + +// GhAwHomeExpr is the GitHub Actions expression for GH_AW_HOME. +// Use this in YAML env: blocks where shell variable expansion does NOT occur. +// GitHub Actions evaluates ${{ env.VAR }} before passing values to steps. +const GhAwHomeExpr = "${{ env.GH_AW_HOME }}" + +// GhAwHomeExprDefault is the GitHub Actions expression for GH_AW_HOME with a fallback. +// Use this in job-level env: blocks so callers can override GH_AW_HOME via +// workflow-level or repository-level env, while defaulting to GhAwHomeDefault. +const GhAwHomeExprDefault = "${{ env.GH_AW_HOME || '/opt/gh-aw' }}" + // SetupActionDestination is the path where the setup action copies script files // on the agent runner (e.g. /opt/gh-aw/actions). -const SetupActionDestination = "/opt/gh-aw/actions" +// Uses GitHub Actions expression syntax so the value is resolved before being passed +// to setup.sh (via INPUT_DESTINATION in script mode, or destination: in dev/release mode). +const SetupActionDestination = GhAwHomeExpr + "/actions" + +// JsRequireGhAw generates a JavaScript require() argument expression for a file +// under GH_AW_HOME. The relativePath should be like "actions/foo.cjs". +func JsRequireGhAw(relativePath string) string { + return fmt.Sprintf("%s + '/%s'", GhAwHomeJS, relativePath) +} diff --git a/pkg/workflow/step_order_validation.go b/pkg/workflow/step_order_validation.go index 24c07a3b91f..77c55d80ed5 100644 --- a/pkg/workflow/step_order_validation.go +++ b/pkg/workflow/step_order_validation.go @@ -180,7 +180,7 @@ func (t *StepOrderTracker) findUnscannablePaths(artifactUploads []StepRecord) [] func isPathScannedBySecretRedaction(path string) bool { // Paths must be under /tmp/gh-aw/ or /opt/gh-aw/ to be scanned // Accept both literal paths and environment variable references - if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") { + if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") && !strings.HasPrefix(path, "${GH_AW_HOME") { // Check if it's an environment variable that might resolve to /tmp/gh-aw/ or /opt/gh-aw/ // For now, we'll allow ${{ env.* }} patterns through as we can't resolve them at compile time // Assume environment variables that might contain /tmp/gh-aw or /opt/gh-aw paths are safe diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index e72f490661d..911cf5068c6 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -287,10 +287,10 @@ func (c *Compiler) buildThreatDetectionAnalysisStep(data *WorkflowData) []string func (c *Compiler) buildSetupScriptRequire() string { // Build a simple require statement that calls the main function // The template is now read from file at runtime by the JavaScript module - script := `const { setupGlobals } = require('` + SetupActionDestination + `/setup_globals.cjs'); -setupGlobals(core, github, context, exec, io); -const { main } = require('` + SetupActionDestination + `/setup_threat_detection.cjs'); -await main();` + script := "const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n" + + "setupGlobals(core, github, context, exec, io);\n" + + "const { main } = require(" + JsRequireGhAw("actions/setup_threat_detection.cjs") + ");\n" + + "await main();" return script } @@ -434,10 +434,10 @@ func (c *Compiler) buildWorkflowContextEnvVars(data *WorkflowData) []string { // buildResultsParsingScriptRequire creates the parsing script that requires the .cjs module func (c *Compiler) buildResultsParsingScriptRequire() string { // Build a simple require statement that calls the main function - script := `const { setupGlobals } = require('` + SetupActionDestination + `/setup_globals.cjs'); -setupGlobals(core, github, context, exec, io); -const { main } = require('` + SetupActionDestination + `/parse_threat_detection_results.cjs'); -await main();` + script := "const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n" + + "setupGlobals(core, github, context, exec, io);\n" + + "const { main } = require(" + JsRequireGhAw("actions/parse_threat_detection_results.cjs") + ");\n" + + "await main();" return script } From ded76dbfc1dc44d650266407984d7cc3e7925aea Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Mar 2026 17:24:59 +0000 Subject: [PATCH 2/2] Changes before error encountered Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ace-editor.lock.yml | 64 +++---- .../agent-performance-analyzer.lock.yml | 120 ++++++------ .../workflows/agent-persona-explorer.lock.yml | 116 ++++++------ .github/workflows/ai-moderator.lock.yml | 118 ++++++------ .github/workflows/archie.lock.yml | 122 ++++++------ .github/workflows/artifacts-summary.lock.yml | 94 ++++----- .github/workflows/audit-workflows.lock.yml | 126 ++++++------- .github/workflows/auto-triage-issues.lock.yml | 108 +++++------ .github/workflows/blog-auditor.lock.yml | 98 +++++----- .github/workflows/bot-detection.lock.yml | 88 ++++----- .github/workflows/brave.lock.yml | 122 ++++++------ .../breaking-change-checker.lock.yml | 108 +++++------ .github/workflows/changeset.lock.yml | 112 +++++------ .github/workflows/ci-coach.lock.yml | 104 +++++----- .github/workflows/ci-doctor.lock.yml | 110 +++++------ .../claude-code-user-docs-review.lock.yml | 100 +++++----- .../cli-consistency-checker.lock.yml | 94 ++++----- .../workflows/cli-version-checker.lock.yml | 100 +++++----- .github/workflows/cloclo.lock.yml | 150 +++++++-------- .../workflows/code-scanning-fixer.lock.yml | 124 ++++++------ .github/workflows/code-simplifier.lock.yml | 112 +++++------ .../codex-github-remote-mcp-test.lock.yml | 46 ++--- .../commit-changes-analyzer.lock.yml | 96 +++++----- .../constraint-solving-potd.lock.yml | 96 +++++----- .github/workflows/contribution-check.lock.yml | 96 +++++----- .../workflows/copilot-agent-analysis.lock.yml | 110 +++++------ .../copilot-cli-deep-research.lock.yml | 104 +++++----- .../copilot-pr-merged-report.lock.yml | 120 ++++++------ .../copilot-pr-nlp-analysis.lock.yml | 114 +++++------ .../copilot-pr-prompt-analysis.lock.yml | 108 +++++------ .../copilot-session-insights.lock.yml | 116 ++++++------ .github/workflows/craft.lock.yml | 124 ++++++------ .../daily-architecture-diagram.lock.yml | 104 +++++----- .../daily-assign-issue-to-user.lock.yml | 94 ++++----- .github/workflows/daily-choice-test.lock.yml | 96 +++++----- .../workflows/daily-cli-performance.lock.yml | 130 ++++++------- .../workflows/daily-cli-tools-tester.lock.yml | 106 +++++------ .github/workflows/daily-code-metrics.lock.yml | 116 ++++++------ .../workflows/daily-compiler-quality.lock.yml | 98 +++++----- .../daily-copilot-token-report.lock.yml | 114 +++++------ .github/workflows/daily-doc-healer.lock.yml | 132 ++++++------- .github/workflows/daily-doc-updater.lock.yml | 128 ++++++------- .github/workflows/daily-fact.lock.yml | 96 +++++----- .github/workflows/daily-file-diet.lock.yml | 104 +++++----- .../workflows/daily-firewall-report.lock.yml | 116 ++++++------ .../workflows/daily-function-namer.lock.yml | 100 +++++----- .../workflows/daily-issues-report.lock.yml | 112 +++++------ .../daily-malicious-code-scan.lock.yml | 86 ++++----- .../daily-mcp-concurrency-analysis.lock.yml | 100 +++++----- .../daily-multi-device-docs-tester.lock.yml | 104 +++++----- .github/workflows/daily-news.lock.yml | 114 +++++------ .../daily-observability-report.lock.yml | 112 +++++------ .../daily-performance-summary.lock.yml | 136 ++++++------- .github/workflows/daily-regulatory.lock.yml | 126 ++++++------- .../daily-rendering-scripts-verifier.lock.yml | 126 ++++++------- .../workflows/daily-repo-chronicle.lock.yml | 104 +++++----- .../daily-safe-output-integrator.lock.yml | 101 +++++----- .../daily-safe-output-optimizer.lock.yml | 120 ++++++------ .../daily-safe-outputs-conformance.lock.yml | 96 +++++----- .../workflows/daily-secrets-analysis.lock.yml | 94 ++++----- .../daily-security-red-team.lock.yml | 96 +++++----- .github/workflows/daily-semgrep-scan.lock.yml | 96 +++++----- .../daily-syntax-error-quality.lock.yml | 94 ++++----- .../daily-team-evolution-insights.lock.yml | 96 +++++----- .github/workflows/daily-team-status.lock.yml | 102 +++++----- .../daily-testify-uber-super-expert.lock.yml | 114 +++++------ .../workflows/daily-workflow-updater.lock.yml | 100 +++++----- .github/workflows/dead-code-remover.lock.yml | 114 +++++------ .github/workflows/deep-report.lock.yml | 126 ++++++------- .github/workflows/delight.lock.yml | 104 +++++----- .github/workflows/dependabot-burner.lock.yml | 102 +++++----- .../workflows/dependabot-go-checker.lock.yml | 96 +++++----- .github/workflows/dev-hawk.lock.yml | 110 +++++------ .github/workflows/dev.lock.yml | 94 ++++----- .../developer-docs-consolidator.lock.yml | 138 +++++++------- .github/workflows/dictation-prompt.lock.yml | 122 ++++++------ .../workflows/discussion-task-miner.lock.yml | 104 +++++----- .github/workflows/docs-noob-tester.lock.yml | 102 +++++----- .github/workflows/draft-pr-cleanup.lock.yml | 94 ++++----- .../duplicate-code-detector.lock.yml | 100 +++++----- .../example-permissions-warning.lock.yml | 46 ++--- .../example-workflow-analyzer.lock.yml | 106 +++++------ .github/workflows/firewall-escape.lock.yml | 118 ++++++------ .github/workflows/firewall.lock.yml | 46 ++--- .../workflows/functional-pragmatist.lock.yml | 102 +++++----- .../github-mcp-structural-analysis.lock.yml | 106 +++++------ .../github-mcp-tools-report.lock.yml | 106 +++++------ .../github-remote-mcp-auth-test.lock.yml | 96 +++++----- .../workflows/glossary-maintainer.lock.yml | 138 +++++++------- .github/workflows/go-fan.lock.yml | 100 +++++----- .github/workflows/go-logger.lock.yml | 132 ++++++------- .../workflows/go-pattern-detector.lock.yml | 96 +++++----- .github/workflows/gpclean.lock.yml | 100 +++++----- .github/workflows/grumpy-reviewer.lock.yml | 128 ++++++------- .github/workflows/hourly-ci-cleaner.lock.yml | 102 +++++----- .../workflows/instructions-janitor.lock.yml | 106 +++++------ .github/workflows/issue-arborist.lock.yml | 96 +++++----- .github/workflows/issue-monster.lock.yml | 118 ++++++------ .github/workflows/issue-triage-agent.lock.yml | 92 ++++----- .github/workflows/jsweep.lock.yml | 106 +++++------ .../workflows/layout-spec-maintainer.lock.yml | 102 +++++----- .github/workflows/lockfile-stats.lock.yml | 100 +++++----- .github/workflows/mcp-inspector.lock.yml | 110 +++++------ .github/workflows/mergefest.lock.yml | 126 ++++++------- .github/workflows/metrics-collector.lock.yml | 72 +++---- .../workflows/notion-issue-summary.lock.yml | 88 ++++----- .github/workflows/org-health-report.lock.yml | 106 +++++------ .github/workflows/pdf-summary.lock.yml | 128 ++++++------- .github/workflows/plan.lock.yml | 124 ++++++------ .github/workflows/poem-bot.lock.yml | 144 +++++++------- .github/workflows/portfolio-analyst.lock.yml | 116 ++++++------ .../workflows/pr-nitpick-reviewer.lock.yml | 128 ++++++------- .github/workflows/pr-triage-agent.lock.yml | 106 +++++------ .../prompt-clustering-analysis.lock.yml | 110 +++++------ .github/workflows/python-data-charts.lock.yml | 116 ++++++------ .github/workflows/q.lock.yml | 144 +++++++------- .github/workflows/refiner.lock.yml | 112 +++++------ .github/workflows/release.lock.yml | 102 +++++----- .../workflows/repo-audit-analyzer.lock.yml | 100 +++++----- .github/workflows/repo-tree-map.lock.yml | 96 +++++----- .../repository-quality-improver.lock.yml | 100 +++++----- .github/workflows/research.lock.yml | 96 +++++----- .github/workflows/safe-output-health.lock.yml | 110 +++++------ .../schema-consistency-checker.lock.yml | 100 +++++----- .github/workflows/scout.lock.yml | 128 ++++++------- ...ecurity-alert-burndown.campaign.g.lock.yml | 106 +++++------ .../workflows/security-compliance.lock.yml | 110 +++++------ .github/workflows/security-review.lock.yml | 138 +++++++------- .../semantic-function-refactor.lock.yml | 96 +++++----- .github/workflows/sergo.lock.yml | 100 +++++----- .../workflows/slide-deck-maintainer.lock.yml | 118 ++++++------ .../workflows/smoke-agent-all-merged.lock.yml | 114 +++++------ .../workflows/smoke-agent-all-none.lock.yml | 114 +++++------ .../smoke-agent-public-approved.lock.yml | 118 ++++++------ .../smoke-agent-public-none.lock.yml | 114 +++++------ .../smoke-agent-scoped-approved.lock.yml | 114 +++++------ .../workflows/smoke-call-workflow.lock.yml | 106 +++++------ .github/workflows/smoke-claude.lock.yml | 178 +++++++++--------- .github/workflows/smoke-codex.lock.yml | 146 +++++++------- .github/workflows/smoke-copilot-arm.lock.yml | 168 ++++++++--------- .github/workflows/smoke-copilot.lock.yml | 168 ++++++++--------- .../smoke-create-cross-repo-pr.lock.yml | 118 ++++++------ .github/workflows/smoke-gemini.lock.yml | 144 +++++++------- .github/workflows/smoke-multi-pr.lock.yml | 124 ++++++------ .github/workflows/smoke-project.lock.yml | 124 ++++++------ .github/workflows/smoke-temporary-id.lock.yml | 118 ++++++------ .github/workflows/smoke-test-tools.lock.yml | 114 +++++------ .../smoke-update-cross-repo-pr.lock.yml | 118 ++++++------ .../smoke-workflow-call-with-inputs.lock.yml | 108 +++++------ .../workflows/smoke-workflow-call.lock.yml | 106 +++++------ .../workflows/stale-repo-identifier.lock.yml | 106 +++++------ .../workflows/static-analysis-report.lock.yml | 110 +++++------ .../workflows/step-name-alignment.lock.yml | 100 +++++----- .github/workflows/sub-issue-closer.lock.yml | 96 +++++----- .github/workflows/super-linter.lock.yml | 100 +++++----- .../workflows/technical-doc-writer.lock.yml | 144 +++++++------- .github/workflows/terminal-stylist.lock.yml | 96 +++++----- .../test-create-pr-error-handling.lock.yml | 106 +++++------ .github/workflows/test-dispatcher.lock.yml | 96 +++++----- .../test-project-url-default.lock.yml | 96 +++++----- .github/workflows/test-workflow.lock.yml | 46 ++--- .github/workflows/tidy.lock.yml | 132 ++++++------- .github/workflows/typist.lock.yml | 96 +++++----- .../workflows/ubuntu-image-analyzer.lock.yml | 112 +++++------ .github/workflows/unbloat-docs.lock.yml | 162 ++++++++-------- .github/workflows/update-astro.lock.yml | 112 +++++------ .github/workflows/video-analyzer.lock.yml | 96 +++++----- .../weekly-editors-health-check.lock.yml | 110 +++++------ .../workflows/weekly-issue-summary.lock.yml | 102 +++++----- .../weekly-safe-outputs-spec-review.lock.yml | 102 +++++----- .github/workflows/workflow-generator.lock.yml | 128 ++++++------- .../workflow-health-manager.lock.yml | 112 +++++------ .../workflows/workflow-normalizer.lock.yml | 106 +++++------ .../workflow-skill-extractor.lock.yml | 96 +++++----- pkg/workflow/cache.go | 6 +- pkg/workflow/compiler_main_job.go | 26 +-- .../compiler_safe_outputs_specialized.go | 2 +- pkg/workflow/compiler_workflow_call.go | 2 +- pkg/workflow/compiler_yaml.go | 10 +- pkg/workflow/compiler_yaml_main_job.go | 6 +- pkg/workflow/copilot_engine_execution.go | 2 +- pkg/workflow/copilot_engine_installation.go | 2 +- pkg/workflow/copilot_installer.go | 2 +- pkg/workflow/docker.go | 2 +- pkg/workflow/mcp_github_config.go | 2 +- pkg/workflow/notify_comment.go | 9 +- pkg/workflow/repo_memory.go | 5 +- pkg/workflow/template.go | 4 +- pkg/workflow/unified_prompt_step.go | 2 +- 189 files changed, 9557 insertions(+), 9562 deletions(-) diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 00dae98e383..11606ed7c1d 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -71,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +97,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -118,9 +118,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -128,18 +128,18 @@ jobs: GH_AW_WORKFLOW_FILE: "ace-editor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -149,9 +149,9 @@ jobs: GH_AW_WORKFLOW_NAME: "ACE Editor Session" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -170,9 +170,9 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -203,7 +203,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -237,10 +237,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -301,7 +301,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -363,7 +363,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -398,7 +398,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -472,15 +472,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -490,7 +490,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -498,18 +498,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -590,7 +590,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -599,9 +599,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -610,8 +610,8 @@ jobs: GH_AW_COMMANDS: "[\"ace\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 51ec85a1bad..7ce992acad4 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "agent-performance-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,12 +126,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, missing_tool, missing_data, noop @@ -165,7 +165,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -207,10 +207,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -293,7 +293,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -339,7 +339,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -362,9 +362,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -398,27 +398,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":10},"create_discussion":{"expires":24,"max":2},"create_issue":{"expires":48,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 10 comment(s) can be added.", @@ -429,7 +429,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -567,7 +567,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -592,8 +592,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -604,7 +604,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -635,7 +635,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -703,7 +703,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -779,15 +779,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -796,7 +796,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -824,18 +824,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -919,9 +919,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -972,9 +972,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1035,7 +1035,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1072,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1099,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1139,7 +1139,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1148,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1177,7 +1177,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1220,9 +1220,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1262,7 +1262,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1288,9 +1288,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index f5bb2909cfa..9f3212a3a1b 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "agent-persona-explorer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -131,12 +131,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -170,7 +170,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -209,10 +209,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -291,7 +291,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -360,9 +360,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -396,27 +396,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"agent-research\"." @@ -425,7 +425,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -512,7 +512,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -537,8 +537,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -549,7 +549,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -580,7 +580,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -648,7 +648,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -723,15 +723,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -741,7 +741,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -769,18 +769,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -861,9 +861,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -913,9 +913,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -975,7 +975,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -999,9 +999,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1012,9 +1012,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1036,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1053,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1076,7 +1076,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1085,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1122,7 +1122,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1148,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1179,7 +1179,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index b83302c1335..092dc6c90d8 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -83,7 +83,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -109,7 +109,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -128,18 +128,18 @@ jobs: GH_AW_WORKFLOW_FILE: "ai-moderator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -147,9 +147,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/lock-issue.cjs'); await main(); - name: Create prompt with built-in context env: @@ -170,11 +170,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_labels, hide_comment, missing_tool, missing_data, noop @@ -208,7 +208,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -247,10 +247,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -323,7 +323,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below @@ -346,9 +346,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -373,15 +373,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"allowed":["spam","ai-generated","link-spam","ai-inspected"],"max":3,"target":"*"},"hide_comment":{"allowed_reasons":["spam"],"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_labels": " CONSTRAINTS: Only these labels are allowed: [\"spam\" \"ai-generated\" \"link-spam\" \"ai-inspected\"]. Target: *." @@ -390,7 +390,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -494,7 +494,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -519,8 +519,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -531,7 +531,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -590,7 +590,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -638,7 +638,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -671,15 +671,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -690,7 +690,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -718,18 +718,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -808,7 +808,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -832,9 +832,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -845,9 +845,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -866,9 +866,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -883,9 +883,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -907,7 +907,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check user rate limit id: check_rate_limit uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -919,9 +919,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); - name: Check skip-roles id: check_skip_roles @@ -932,9 +932,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_roles.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_roles.cjs'); await main(); - name: Check skip-bots id: check_skip_bots @@ -944,9 +944,9 @@ jobs: GH_AW_WORKFLOW_NAME: "AI Moderator" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_bots.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_bots.cjs'); await main(); safe_outputs: @@ -985,7 +985,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1011,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1044,15 +1044,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/unlock-issue.cjs'); await main(); diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 40cc42bb093..7e66c19519f 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -88,7 +88,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -130,9 +130,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -140,18 +140,18 @@ jobs: GH_AW_WORKFLOW_FILE: "archie.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -162,9 +162,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *Diagram rendered by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔧 *Workflow sync report by [{workflow_name}]({run_url}) for {repository}*\",\"footerWorkflowRecompileComment\":\"\\u003e 🔄 *Update from [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"📐 [{workflow_name}]({run_url}) is analyzing the architecture for this {event_type}...\",\"runSuccess\":\"🎨 [{workflow_name}]({run_url}) has completed the architecture visualization. ✅\",\"runFailure\":\"📐 [{workflow_name}]({run_url}) encountered an issue and could not complete the architecture diagram. Check the [run logs]({run_url}) for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -187,10 +187,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -224,9 +224,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -272,10 +272,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -353,7 +353,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -382,9 +382,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -406,15 +406,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added." @@ -423,7 +423,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -502,7 +502,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -527,8 +527,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -539,7 +539,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -569,7 +569,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -633,7 +633,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -709,15 +709,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -726,7 +726,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -755,18 +755,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -841,9 +841,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -894,9 +894,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -956,7 +956,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -980,9 +980,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -993,9 +993,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1032,9 +1032,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1051,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1080,7 +1080,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1089,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1100,9 +1100,9 @@ jobs: GH_AW_COMMANDS: "[\"archie\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1141,7 +1141,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1167,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 3336b178bcf..0def2babac9 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "artifacts-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,10 +124,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -161,7 +161,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -200,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -276,7 +276,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -305,9 +305,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -329,15 +329,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"artifacts\"." @@ -346,7 +346,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -433,7 +433,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -458,8 +458,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -470,7 +470,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -500,7 +500,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -549,7 +549,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -625,15 +625,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -642,7 +642,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -670,18 +670,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -756,9 +756,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -809,9 +809,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,7 +870,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate GitHub App token id: safe-outputs-app-token uses: actions/create-github-app-token@a7f885bf4560200d03183ed941cb6fb072e4b343 # v3.0.0-beta.4 @@ -906,9 +906,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -919,9 +919,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -942,9 +942,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -959,9 +959,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' @@ -1009,7 +1009,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1047,9 +1047,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 86d2fa896de..6a82ef4563b 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "audit-workflows.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,13 +132,13 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -174,7 +174,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -225,10 +225,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -310,7 +310,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -391,7 +391,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -414,9 +414,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -453,27 +453,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -483,7 +483,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -579,7 +579,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -604,8 +604,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -616,7 +616,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -649,7 +649,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -715,7 +715,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -843,15 +843,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -861,7 +861,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -889,18 +889,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -997,9 +997,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1060,9 +1060,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1124,7 +1124,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1149,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1163,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1191,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1209,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1238,7 +1238,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1281,9 +1281,9 @@ jobs: FILE_GLOB_FILTER: "memory/audit-workflows/*.json memory/audit-workflows/*.jsonl memory/audit-workflows/*.csv memory/audit-workflows/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1319,7 +1319,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1345,9 +1345,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1376,7 +1376,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1421,7 +1421,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1477,8 +1477,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index d87b28842ae..8f02234636b 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -71,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -110,18 +110,18 @@ jobs: GH_AW_WORKFLOW_FILE: "auto-triage-issues.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -141,10 +141,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, add_labels, missing_tool, missing_data, noop @@ -178,7 +178,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -214,10 +214,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -289,7 +289,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -318,9 +318,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -342,15 +342,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"max":10},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_labels": " CONSTRAINTS: Maximum 10 label(s) can be added.", @@ -360,7 +360,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -466,7 +466,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -491,8 +491,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -503,7 +503,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -533,7 +533,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -582,7 +582,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -674,15 +674,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -691,7 +691,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -719,18 +719,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -805,9 +805,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -858,9 +858,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -920,7 +920,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -944,9 +944,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -957,9 +957,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -980,9 +980,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -997,9 +997,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1021,7 +1021,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check user rate limit id: check_rate_limit @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); safe_outputs: @@ -1083,7 +1083,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1109,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index abf99fc75d2..98963e24d3b 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "blog-auditor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,11 +130,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -207,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -283,7 +283,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -312,9 +312,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -339,15 +339,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[audit] \". Discussions will be created in category \"audits\"." @@ -356,7 +356,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -443,7 +443,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -468,8 +468,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -480,7 +480,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -510,7 +510,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -582,7 +582,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -742,15 +742,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -760,7 +760,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -788,18 +788,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -872,9 +872,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -935,9 +935,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -996,7 +996,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1021,9 +1021,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1115,7 +1115,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1141,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index aff3081597e..4d4421d95f5 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -60,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +86,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "bot-detection.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,10 +130,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, update_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -208,10 +208,10 @@ jobs: GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_TITLE: ${{ needs.precompute.outputs.issue_title }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -319,9 +319,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -343,15 +343,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"mentions":{"allowed":["pelikhan"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"security\" \"bot-detection\"] will be automatically added.", @@ -361,7 +361,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -509,7 +509,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -534,8 +534,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -546,7 +546,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -576,7 +576,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -625,7 +625,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -700,15 +700,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -718,7 +718,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -746,18 +746,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -820,7 +820,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -844,9 +844,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -857,9 +857,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -879,9 +879,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -896,9 +896,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); precompute: @@ -1732,7 +1732,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1758,9 +1758,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index ace818d2a70..ee40ed4e151 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -74,7 +74,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -116,9 +116,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -126,18 +126,18 @@ jobs: GH_AW_WORKFLOW_FILE: "brave.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -148,9 +148,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦁 *Search results brought to you by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔄 *Maintenance report by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔍 Brave Search activated! [{workflow_name}]({run_url}) is venturing into the web on this {event_type}...\",\"runSuccess\":\"🦁 Mission accomplished! [{workflow_name}]({run_url}) has returned with the findings. Knowledge acquired! 🏆\",\"runFailure\":\"🔍 Search interrupted! [{workflow_name}]({run_url}) {status}. The web remains unexplored...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -173,10 +173,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -210,9 +210,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -257,10 +257,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -337,7 +337,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -366,9 +366,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -390,15 +390,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added." @@ -407,7 +407,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -486,7 +486,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -511,8 +511,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -523,7 +523,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -554,7 +554,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e BRAVE_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "brave-search": { @@ -620,7 +620,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -696,15 +696,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'BRAVE_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -714,7 +714,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -743,18 +743,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -829,9 +829,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -882,9 +882,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -944,7 +944,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -968,9 +968,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -981,9 +981,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1003,9 +1003,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1020,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1039,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1065,7 +1065,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1074,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1085,9 +1085,9 @@ jobs: GH_AW_COMMANDS: "[\"brave\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1126,7 +1126,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1152,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 14cbfb64952..451c8d82a30 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -104,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "breaking-change-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,10 +126,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -163,7 +163,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -205,10 +205,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -282,7 +282,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -311,9 +311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -335,15 +335,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned." @@ -352,7 +352,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -446,7 +446,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -471,8 +471,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -483,7 +483,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -513,7 +513,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -562,7 +562,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -658,15 +658,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -675,7 +675,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -703,18 +703,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -789,9 +789,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -842,9 +842,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -902,7 +902,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -927,9 +927,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -941,9 +941,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -964,9 +964,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -982,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1005,7 +1005,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1014,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1037,9 +1037,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1077,7 +1077,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1104,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index dab2e7dd281..938bb3caed5 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -81,7 +81,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -107,7 +107,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -129,9 +129,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -139,18 +139,18 @@ jobs: GH_AW_WORKFLOW_FILE: "changeset.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -172,15 +172,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -212,7 +212,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -260,10 +260,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -336,7 +336,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -368,9 +368,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -395,15 +395,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1},"update_pull_request":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "update_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be updated." @@ -412,7 +412,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -527,7 +527,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -552,8 +552,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -564,7 +564,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -623,7 +623,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -671,7 +671,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -716,15 +716,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -735,7 +735,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -763,18 +763,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -850,9 +850,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -866,9 +866,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -926,7 +926,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate GitHub App token id: safe-outputs-app-token uses: actions/create-github-app-token@a7f885bf4560200d03183ed941cb6fb072e4b343 # v3.0.0-beta.4 @@ -961,9 +961,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -974,9 +974,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -997,9 +997,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1014,9 +1014,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' @@ -1054,7 +1054,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1063,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1104,7 +1104,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1171,9 +1171,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index e7f4dda0b91..a376f243f52 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ci-coach.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +126,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -217,10 +217,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -299,7 +299,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -377,9 +377,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -401,15 +401,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ci-coach] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ci-coach] \"." @@ -418,7 +418,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -515,7 +515,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -540,8 +540,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -552,7 +552,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -582,7 +582,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -631,7 +631,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -707,15 +707,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -724,7 +724,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -752,18 +752,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -845,9 +845,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -898,9 +898,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -960,7 +960,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -985,9 +985,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -999,9 +999,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1023,9 +1023,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1041,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1056,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1098,7 +1098,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1184,7 +1184,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index d59198e508f..dae35a92e67 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -73,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -117,9 +117,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ci-doctor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -145,11 +145,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, missing_tool, missing_data, noop @@ -183,7 +183,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -232,10 +232,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -319,7 +319,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -365,9 +365,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -389,15 +389,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -408,7 +408,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -574,7 +574,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -599,8 +599,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -611,7 +611,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -641,7 +641,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -690,7 +690,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -765,15 +765,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -783,7 +783,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -811,18 +811,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -903,9 +903,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -955,9 +955,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1018,7 +1018,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1103,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1127,7 +1127,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1136,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check stop-time limit id: check_stop_time @@ -1148,9 +1148,9 @@ jobs: GH_AW_WORKFLOW_NAME: "CI Failure Doctor" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_stop_time.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_stop_time.cjs'); await main(); safe_outputs: @@ -1194,7 +1194,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1220,9 +1220,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1251,7 +1251,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index e9bbbad72f3..b1b722cb720 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "claude-code-user-docs-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -208,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -288,7 +288,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -327,9 +327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -354,15 +354,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -371,7 +371,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -458,7 +458,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -483,8 +483,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -495,7 +495,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -524,7 +524,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -572,7 +572,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -696,15 +696,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -714,7 +714,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -742,18 +742,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -832,9 +832,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -895,9 +895,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -957,7 +957,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -982,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -996,9 +996,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1020,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1038,9 +1038,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1076,7 +1076,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1102,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1133,7 +1133,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 82b042eb45b..10452c2e2bf 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -57,7 +57,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,9 +96,9 @@ jobs: GH_AW_WORKFLOW_FILE: "cli-consistency-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,10 +118,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -155,7 +155,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -189,10 +189,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -267,7 +267,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -296,9 +296,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -320,15 +320,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[cli-consistency] \". Labels [\"automation\" \"cli\" \"documentation\" \"cookie\"] will be automatically added." @@ -337,7 +337,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -431,7 +431,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -456,8 +456,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -468,7 +468,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -498,7 +498,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -547,7 +547,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -623,15 +623,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -640,7 +640,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -668,18 +668,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -754,9 +754,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -807,9 +807,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -867,7 +867,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -891,9 +891,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -904,9 +904,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -925,9 +925,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -942,9 +942,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -980,7 +980,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1006,9 +1006,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index b9ffd5f77a5..51be3be4e9d 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "cli-version-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,11 +130,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -211,10 +211,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -289,7 +289,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -331,9 +331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -358,15 +358,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ca] \". Labels [\"automation\" \"dependencies\" \"cookie\"] will be automatically added." @@ -375,7 +375,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -469,7 +469,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -494,8 +494,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -506,7 +506,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -535,7 +535,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -583,7 +583,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -708,15 +708,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -726,7 +726,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -754,18 +754,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -844,9 +844,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -907,9 +907,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -968,7 +968,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -992,9 +992,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1005,9 +1005,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1026,9 +1026,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1043,9 +1043,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1081,7 +1081,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1107,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1138,7 +1138,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 72cc7ea56ca..3ffe22840cc 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -113,7 +113,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -139,7 +139,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -160,9 +160,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -170,18 +170,18 @@ jobs: GH_AW_WORKFLOW_FILE: "cloclo.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -192,9 +192,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎤 *Magnifique! Performance by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎵 Comme d'habitude! [{workflow_name}]({run_url}) takes the stage on this {event_type}...\",\"runSuccess\":\"🎤 Bravo! [{workflow_name}]({run_url}) has delivered a stunning performance! Standing ovation! 🌟\",\"runFailure\":\"🎵 Intermission... [{workflow_name}]({run_url}) {status}. The show must go on... eventually!\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Remove trigger label id: remove_trigger_label @@ -203,9 +203,9 @@ jobs: GH_AW_LABEL_NAMES: '["cloclo"]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/remove_trigger_label.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/remove_trigger_label.cjs'); await main(); - name: Create prompt with built-in context env: @@ -231,18 +231,18 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -274,9 +274,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -336,10 +336,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -422,7 +422,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -494,9 +494,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -533,27 +533,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[cloclo] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -563,7 +563,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -678,7 +678,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -703,8 +703,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -715,7 +715,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -746,7 +746,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -859,7 +859,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1027,15 +1027,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1045,7 +1045,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1074,18 +1074,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1165,9 +1165,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1228,9 +1228,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1291,7 +1291,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1315,9 +1315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1328,9 +1328,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1352,9 +1352,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1369,9 +1369,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1383,9 +1383,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1402,9 +1402,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1438,7 +1438,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1447,9 +1447,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1458,9 +1458,9 @@ jobs: GH_AW_COMMANDS: "[\"cloclo\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1503,7 +1503,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1558,9 +1558,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1589,7 +1589,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index b052a9a5061..56ce9e1dc73 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "code-scanning-fixer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,17 +123,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, add_labels, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -165,7 +165,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -206,10 +206,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -287,7 +287,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -313,7 +313,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,9 +336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -360,15 +360,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"allowed":["agentic-campaign","z_campaign_security-alert-burndown"],"max":3},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[code-scanning-fix] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/campaigns","id":"campaigns","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_labels": " CONSTRAINTS: Only these labels are allowed: [\"agentic-campaign\" \"z_campaign_security-alert-burndown\"].", @@ -378,7 +378,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -494,7 +494,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -519,8 +519,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -531,7 +531,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -561,7 +561,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -610,7 +610,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -686,15 +686,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -703,7 +703,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -731,18 +731,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -833,9 +833,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -886,9 +886,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -949,7 +949,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -973,9 +973,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -986,9 +986,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1067,7 +1067,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1076,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1099,9 +1099,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); push_repo_memory: @@ -1128,7 +1128,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1171,9 +1171,9 @@ jobs: FILE_GLOB_FILTER: "security-alert-burndown/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1212,7 +1212,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1267,9 +1267,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1298,7 +1298,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index de2483c93cf..1857581926d 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -67,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +93,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -111,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "code-simplifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,15 +133,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -173,7 +173,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -214,10 +214,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -291,7 +291,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -320,9 +320,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -344,15 +344,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[code-simplifier] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[code-simplifier] \". Labels [\"refactoring\" \"code-quality\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned." @@ -361,7 +361,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -458,7 +458,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -483,8 +483,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -495,7 +495,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -525,7 +525,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -574,7 +574,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -649,15 +649,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -667,7 +667,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -695,18 +695,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -782,9 +782,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -834,9 +834,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -895,7 +895,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -920,9 +920,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -934,9 +934,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -959,9 +959,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -977,9 +977,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -992,9 +992,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1015,7 +1015,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1024,9 +1024,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1047,9 +1047,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1089,7 +1089,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1144,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 8d35760d5d3..7c09df7e08d 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -56,7 +56,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,7 +82,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "codex-github-remote-mcp-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,9 +122,9 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -155,7 +155,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -188,10 +188,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -247,7 +247,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -276,9 +276,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -342,7 +342,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -376,7 +376,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -420,15 +420,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -439,7 +439,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -447,18 +447,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 8a5ae7ac113..d7d928591d2 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "commit-changes-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,10 +132,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -169,7 +169,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -208,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -282,7 +282,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -311,9 +311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -338,15 +338,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"dev\"." @@ -355,7 +355,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -442,7 +442,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -467,8 +467,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -479,7 +479,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -508,7 +508,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -556,7 +556,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -677,15 +677,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -695,7 +695,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -723,18 +723,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -807,9 +807,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,9 +870,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -931,7 +931,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -955,9 +955,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -968,9 +968,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -991,9 +991,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1008,9 +1008,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1045,7 +1045,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1071,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index f3001d1e8a1..42282c4bbbd 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -58,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +84,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "constraint-solving-potd.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,11 +124,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -162,7 +162,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -197,10 +197,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -274,7 +274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -323,15 +323,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"max_bot_mentions":1,"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"🧩 Constraint Solving POTD:\". Discussions will be created in category \"announcements\"." @@ -340,7 +340,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -427,7 +427,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -452,8 +452,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -464,7 +464,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -494,7 +494,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -543,7 +543,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -618,15 +618,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -636,7 +636,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -665,18 +665,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -757,9 +757,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -809,9 +809,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -871,7 +871,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -895,9 +895,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -908,9 +908,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -931,9 +931,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -948,9 +948,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -985,7 +985,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1011,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1042,7 +1042,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 246baa77ade..4fecd94dfd6 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -61,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +87,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "contribution-check.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,10 +128,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -165,7 +165,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -200,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -277,7 +277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -306,9 +306,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -320,15 +320,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":10,"target":"*","target-repo":"${{ vars.TARGET_REPOSITORY }}"},"add_labels":{"allowed":["spam","needs-work","outdated","lgtm"],"max":4,"target":"*","target-repo":"${{ vars.TARGET_REPOSITORY }}"},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 10 comment(s) can be added. Target: *. Comments will be added in repository \"${{ vars.TARGET_REPOSITORY }}\".", @@ -339,7 +339,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -470,7 +470,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -495,8 +495,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -507,7 +507,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -535,7 +535,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -584,7 +584,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -659,15 +659,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -677,7 +677,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -705,18 +705,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -791,9 +791,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -843,9 +843,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -905,7 +905,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -929,9 +929,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -942,9 +942,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -964,9 +964,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -981,9 +981,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1023,7 +1023,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1049,9 +1049,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index adcb7116da2..30ed6c1c1a5 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -66,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,7 +92,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -110,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-agent-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,12 +133,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -172,7 +172,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -226,10 +226,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -311,7 +311,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -345,7 +345,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -368,9 +368,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -395,15 +395,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-agent-analysis] \". Discussions will be created in category \"audits\"." @@ -412,7 +412,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -499,7 +499,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -524,8 +524,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -536,7 +536,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -565,7 +565,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -613,7 +613,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -737,15 +737,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -755,7 +755,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -783,18 +783,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -882,9 +882,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -945,9 +945,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1008,7 +1008,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1032,9 +1032,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1072,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1089,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1118,7 +1118,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1161,9 +1161,9 @@ jobs: FILE_GLOB_FILTER: "memory/copilot-agent-analysis/*.json memory/copilot-agent-analysis/*.jsonl memory/copilot-agent-analysis/*.csv memory/copilot-agent-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1198,7 +1198,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1224,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1255,7 +1255,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 7f0558bd531..3d7e73979ca 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-cli-deep-research.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,11 +124,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -162,7 +162,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -206,10 +206,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -291,7 +291,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -307,7 +307,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -330,9 +330,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -354,15 +354,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":204800,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-cli-research] \". Discussions will be created in category \"research\"." @@ -371,7 +371,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -458,7 +458,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -483,8 +483,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -495,7 +495,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -525,7 +525,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -574,7 +574,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -672,15 +672,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -689,7 +689,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -717,18 +717,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -812,9 +812,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -865,9 +865,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -927,7 +927,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -951,9 +951,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -964,9 +964,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -991,9 +991,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1008,9 +1008,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1037,7 +1037,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1080,9 +1080,9 @@ jobs: FILE_GLOB_FILTER: "memory/copilot-cli-research/*.json memory/copilot-cli-research/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1117,7 +1117,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1143,9 +1143,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index c090864def1..ced05f095e9 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -104,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-merged-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,11 +126,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -164,7 +164,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -216,10 +216,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -297,7 +297,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -344,9 +344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -368,15 +368,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-pr-merged-report] \". Discussions will be created in category \"audits\"." @@ -385,7 +385,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -472,7 +472,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -497,8 +497,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -509,16 +509,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -545,7 +545,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -554,17 +554,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -576,7 +576,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -610,7 +610,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -644,7 +644,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -707,7 +707,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -785,15 +785,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -802,7 +802,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -830,27 +830,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -932,9 +932,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -985,9 +985,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1047,7 +1047,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1071,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1107,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1124,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1161,7 +1161,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1187,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1218,7 +1218,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 0ae66e96537..679bb5cdd40 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -66,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -105,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-nlp-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,12 +128,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -169,7 +169,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -230,10 +230,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -317,7 +317,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -380,7 +380,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -403,9 +403,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -427,15 +427,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[nlp-analysis] \". Discussions will be created in category \"audits\".", @@ -445,7 +445,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -541,7 +541,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -566,8 +566,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -578,7 +578,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -611,7 +611,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -660,7 +660,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -739,15 +739,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -756,7 +756,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -784,18 +784,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -894,9 +894,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -947,9 +947,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1011,7 +1011,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1048,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1075,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1092,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1121,7 +1121,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1164,9 +1164,9 @@ jobs: FILE_GLOB_FILTER: "memory/nlp-analysis/*.json memory/nlp-analysis/*.jsonl memory/nlp-analysis/*.csv memory/nlp-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1201,7 +1201,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1227,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1258,7 +1258,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1303,7 +1303,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1358,8 +1358,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index d23b330cd4b..f7b6d6e12da 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -104,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-prompt-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,12 +127,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -221,10 +221,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -308,7 +308,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -342,7 +342,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -365,9 +365,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -389,15 +389,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[prompt-analysis] \". Discussions will be created in category \"audits\"." @@ -406,7 +406,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -493,7 +493,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -518,8 +518,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -530,7 +530,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -560,7 +560,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -609,7 +609,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -685,15 +685,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -702,7 +702,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -730,18 +730,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -831,9 +831,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -884,9 +884,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -947,7 +947,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -971,9 +971,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -984,9 +984,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1011,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1028,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1057,7 +1057,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1100,9 +1100,9 @@ jobs: FILE_GLOB_FILTER: "memory/prompt-analysis/*.json memory/prompt-analysis/*.jsonl memory/prompt-analysis/*.csv memory/prompt-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1137,7 +1137,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1163,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1194,7 +1194,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index f30e74c1adf..40500fa1c26 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -68,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,7 +94,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -112,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-session-insights.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -136,12 +136,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -177,7 +177,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -240,10 +240,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -326,7 +326,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -382,7 +382,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -405,9 +405,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -432,15 +432,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-session-insights] \". Discussions will be created in category \"audits\".", @@ -450,7 +450,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -546,7 +546,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -571,8 +571,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -583,7 +583,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -615,7 +615,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -663,7 +663,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -790,15 +790,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -808,7 +808,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -836,18 +836,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -944,9 +944,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1007,9 +1007,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1071,7 +1071,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1095,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1108,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1135,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1152,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1181,7 +1181,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1224,9 +1224,9 @@ jobs: FILE_GLOB_FILTER: "memory/session-insights/*.json memory/session-insights/*.jsonl memory/session-insights/*.csv memory/session-insights/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1261,7 +1261,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1287,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1318,7 +1318,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1363,7 +1363,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1418,8 +1418,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index e300f65223a..501f98a9a31 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -71,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -113,9 +113,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -123,18 +123,18 @@ jobs: GH_AW_WORKFLOW_FILE: "craft.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -145,9 +145,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚒️ *Crafted with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🛠️ Master Crafter at work! [{workflow_name}]({run_url}) is forging a new workflow on this {event_type}...\",\"runSuccess\":\"⚒️ Masterpiece complete! [{workflow_name}]({run_url}) has crafted your workflow. May it serve you well! 🎖️\",\"runFailure\":\"🛠️ Forge cooling down! [{workflow_name}]({run_url}) {status}. The anvil awaits another attempt...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -169,15 +169,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -209,9 +209,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -251,10 +251,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -330,7 +330,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -364,9 +364,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -388,15 +388,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added." @@ -405,7 +405,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -504,7 +504,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -529,8 +529,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -541,7 +541,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -571,7 +571,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -620,7 +620,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -696,15 +696,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -713,7 +713,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -742,18 +742,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -829,9 +829,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -882,9 +882,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -944,7 +944,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -968,9 +968,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -981,9 +981,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1005,9 +1005,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1022,9 +1022,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1041,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1066,7 +1066,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1075,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1086,9 +1086,9 @@ jobs: GH_AW_COMMANDS: "[\"craft\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1131,7 +1131,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1186,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index c2035d0e777..3257d042641 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-architecture-diagram.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,16 +123,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -164,7 +164,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -202,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -282,7 +282,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -321,9 +321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -345,15 +345,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"create_pull_request":{"expires":168,"max":1,"title_prefix":"[architecture] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"🏗️ Architecture Diagram:\". Labels [\"architecture\" \"diagram\"] will be automatically added.", @@ -363,7 +363,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -493,7 +493,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -518,8 +518,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -530,7 +530,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -560,7 +560,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -609,7 +609,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -685,15 +685,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -702,7 +702,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -730,18 +730,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -823,9 +823,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -876,9 +876,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -938,7 +938,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -962,9 +962,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -975,9 +975,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -998,9 +998,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1029,9 +1029,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1072,7 +1072,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1158,7 +1158,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index ba06f23e71e..21d9519fd17 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -57,7 +57,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,9 +96,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-assign-issue-to-user.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,10 +118,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_user, missing_tool, missing_data, noop @@ -155,7 +155,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -187,10 +187,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -264,7 +264,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -293,9 +293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -317,15 +317,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"*"},"assign_to_user":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added. Target: *." @@ -334,7 +334,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -435,7 +435,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -460,8 +460,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -472,7 +472,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -502,7 +502,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -551,7 +551,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -627,15 +627,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -644,7 +644,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -672,18 +672,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -758,9 +758,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -811,9 +811,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -873,7 +873,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -897,9 +897,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -910,9 +910,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -931,9 +931,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -948,9 +948,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -989,7 +989,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index aab41a90320..4ef32e33ffa 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -58,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +84,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-choice-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,10 +124,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: missing_tool, missing_data, noop @@ -161,7 +161,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -193,10 +193,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -268,7 +268,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -297,9 +297,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -324,15 +324,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"test_environment":{"description":"A test job with choice input","inputs":{"environment":{"default":null,"description":"Target environment","options":["staging","production"],"required":true,"type":"choice"},"test_type":{"default":null,"description":"Type of test to run","options":["smoke","integration","e2e"],"required":true,"type":"choice"}},"output":"Environment test completed successfully"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": {}, "repo_params": {}, @@ -371,7 +371,7 @@ jobs: ] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -432,7 +432,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -457,8 +457,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -469,7 +469,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -498,7 +498,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -546,7 +546,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -667,15 +667,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -685,7 +685,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -713,18 +713,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -797,9 +797,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -860,9 +860,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -918,7 +918,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -943,9 +943,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -957,9 +957,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -979,9 +979,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -997,9 +997,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1032,7 +1032,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); test_environment: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 75cf0da1b92..80395d0afa2 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-cli-performance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,11 +126,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, missing_tool, missing_data, noop @@ -164,7 +164,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -212,10 +212,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -296,7 +296,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -312,7 +312,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -335,9 +335,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -359,15 +359,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":5},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":512000,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 5 comment(s) can be added.", @@ -377,7 +377,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -489,7 +489,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -514,8 +514,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -526,16 +526,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "go", @@ -576,7 +576,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -585,17 +585,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -607,8 +607,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -619,7 +619,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -651,7 +651,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -683,7 +683,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -746,7 +746,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -822,15 +822,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -839,7 +839,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -867,27 +867,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -972,9 +972,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1025,9 +1025,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1088,7 +1088,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1113,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1153,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1171,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1200,7 +1200,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1243,9 +1243,9 @@ jobs: FILE_GLOB_FILTER: "memory/cli-performance/*.json memory/cli-performance/*.jsonl memory/cli-performance/*.txt" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1286,7 +1286,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1312,9 +1312,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 5dd14580c84..4fbf1cf7df6 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-cli-tools-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -204,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -281,7 +281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -340,9 +340,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -376,27 +376,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[cli-tools-test] \". Labels [\"testing\" \"automation\" \"cli-tools\"] will be automatically added." @@ -405,7 +405,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -499,7 +499,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -524,8 +524,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -536,7 +536,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -567,7 +567,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -635,7 +635,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -710,15 +710,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -728,7 +728,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -756,18 +756,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -842,9 +842,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -894,9 +894,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -954,7 +954,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -978,9 +978,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -991,9 +991,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1068,7 +1068,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1094,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index e7668a4857f..cb2a0da8e74 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-code-metrics.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,12 +132,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -173,7 +173,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -223,10 +223,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -356,7 +356,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -379,9 +379,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -406,15 +406,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -424,7 +424,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -520,7 +520,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -545,8 +545,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -557,7 +557,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -589,7 +589,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -637,7 +637,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -764,15 +764,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -782,7 +782,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -810,18 +810,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -918,9 +918,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -981,9 +981,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1045,7 +1045,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1112,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1159,7 +1159,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1202,9 +1202,9 @@ jobs: FILE_GLOB_FILTER: "*.json *.jsonl *.csv *.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1240,7 +1240,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1266,9 +1266,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1297,7 +1297,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1342,7 +1342,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1398,8 +1398,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 2c33deaf0f1..e40ac5d242d 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-compiler-quality.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,11 +124,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -162,7 +162,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -205,10 +205,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -285,7 +285,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -324,9 +324,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -348,15 +348,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -365,7 +365,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -452,7 +452,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -477,8 +477,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -489,7 +489,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -519,7 +519,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -583,7 +583,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -680,15 +680,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -697,7 +697,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -725,18 +725,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -817,9 +817,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,9 +870,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -932,7 +932,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -957,9 +957,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -971,9 +971,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -995,9 +995,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1051,7 +1051,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1108,7 +1108,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index ad805a67c7a..22569887c4b 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-copilot-token-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,12 +125,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -214,10 +214,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -301,7 +301,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Checkout code @@ -384,7 +384,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -407,9 +407,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -431,15 +431,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -449,7 +449,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -545,7 +545,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -570,8 +570,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -582,7 +582,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -615,7 +615,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -664,7 +664,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -743,15 +743,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -760,7 +760,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -788,18 +788,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -898,9 +898,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -951,9 +951,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1015,7 +1015,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1040,9 +1040,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1054,9 +1054,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1082,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1100,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1129,7 +1129,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1172,9 +1172,9 @@ jobs: FILE_GLOB_FILTER: "memory/token-metrics/*.json memory/token-metrics/*.jsonl memory/token-metrics/*.csv memory/token-metrics/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1210,7 +1210,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1236,9 +1236,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1267,7 +1267,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1312,7 +1312,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1368,8 +1368,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index f306646525d..54f39a9f2f1 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-doc-healer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,16 +130,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -171,7 +171,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -213,10 +213,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -291,7 +291,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -347,9 +347,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -374,15 +374,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":72,"max":1},"create_pull_request":{"expires":72,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[doc-healer] \". Labels [\"documentation\" \"automation\"] will be automatically added. Assignees [\"copilot\"] will be automatically assigned.", @@ -392,7 +392,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -522,7 +522,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -547,8 +547,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -559,16 +559,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -596,7 +596,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -605,17 +605,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -627,7 +627,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -659,7 +659,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -690,7 +690,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -752,7 +752,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -901,15 +901,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -919,7 +919,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -947,27 +947,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1048,9 +1048,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1111,9 +1111,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1173,7 +1173,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1212,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1236,9 +1236,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1254,9 +1254,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1269,9 +1269,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1313,7 +1313,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1369,9 +1369,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1381,9 +1381,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1412,7 +1412,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 6c42faf64f2..4af1f827852 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-doc-updater.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,16 +129,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -170,7 +170,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -209,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -287,7 +287,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -343,9 +343,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -370,15 +370,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"auto_merge":true,"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned." @@ -387,7 +387,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -484,7 +484,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -509,8 +509,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -521,16 +521,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -558,7 +558,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -567,17 +567,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -589,7 +589,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -621,7 +621,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -652,7 +652,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -714,7 +714,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -864,15 +864,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -882,7 +882,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -910,27 +910,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1011,9 +1011,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1074,9 +1074,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1136,7 +1136,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1161,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1175,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1199,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1217,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1232,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1274,7 +1274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1329,9 +1329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1360,7 +1360,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 3d0ed10593d..15c3734c9a8 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -53,7 +53,7 @@ jobs: - name: Setup Scripts uses: github/gh-aw-actions/setup@c303e453d96fe6789ee8cb3d63033c710eac347a # v0 with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -79,7 +79,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -89,9 +89,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-fact.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -111,10 +111,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -148,7 +148,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -248,10 +248,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -318,7 +318,7 @@ jobs: - name: Setup Scripts uses: github/gh-aw-actions/setup@c303e453d96fe6789ee8cb3d63033c710eac347a # v0 with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -347,9 +347,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -374,15 +374,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"4750"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added. Target: 4750." @@ -391,7 +391,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -470,7 +470,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -495,8 +495,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -507,7 +507,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -566,7 +566,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -614,7 +614,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -659,15 +659,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -678,7 +678,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -706,18 +706,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -792,9 +792,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -831,9 +831,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -886,7 +886,7 @@ jobs: - name: Setup Scripts uses: github/gh-aw-actions/setup@c303e453d96fe6789ee8cb3d63033c710eac347a # v0 with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -911,9 +911,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -925,9 +925,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -948,9 +948,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -966,9 +966,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1002,7 +1002,7 @@ jobs: - name: Setup Scripts uses: github/gh-aw-actions/setup@c303e453d96fe6789ee8cb3d63033c710eac347a # v0 with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1028,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index a73ef0f916e..5060683cd81 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -67,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -106,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-file-diet.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,10 +128,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -165,7 +165,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -212,10 +212,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -319,9 +319,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -343,15 +343,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[file-diet] \". Labels [\"refactoring\" \"code-health\" \"automated-analysis\" \"cookie\"] will be automatically added." @@ -360,7 +360,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -454,7 +454,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -479,8 +479,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -491,7 +491,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -521,7 +521,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -585,7 +585,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -683,15 +683,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -700,7 +700,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -728,18 +728,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -814,9 +814,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -867,9 +867,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -927,7 +927,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate GitHub App token id: safe-outputs-app-token uses: actions/create-github-app-token@a7f885bf4560200d03183ed941cb6fb072e4b343 # v3.0.0-beta.4 @@ -963,9 +963,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -977,9 +977,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -999,9 +999,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1017,9 +1017,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' @@ -1053,7 +1053,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1062,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1085,9 +1085,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1124,7 +1124,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1161,9 +1161,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index bf88cffdd54..1cb50f174c0 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-firewall-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,12 +130,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -171,7 +171,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -212,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -294,7 +294,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -386,9 +386,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -422,27 +422,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -452,7 +452,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -548,7 +548,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -573,8 +573,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -585,7 +585,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -619,7 +619,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -687,7 +687,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -765,15 +765,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -783,7 +783,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -811,18 +811,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -912,9 +912,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -964,9 +964,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1027,7 +1027,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1066,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1109,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1147,7 +1147,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1173,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1204,7 +1204,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1249,7 +1249,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1305,8 +1305,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 27094114221..cb2ddb71dc1 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-function-namer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,11 +130,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -212,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -329,9 +329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -356,15 +356,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[function-namer] \". Labels [\"refactoring\" \"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added." @@ -373,7 +373,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -467,7 +467,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -492,8 +492,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -504,7 +504,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -533,7 +533,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -604,7 +604,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -740,15 +740,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -758,7 +758,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -786,18 +786,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -876,9 +876,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -939,9 +939,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1000,7 +1000,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1025,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1039,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1061,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1118,7 +1118,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1144,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1175,7 +1175,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 699df825587..015a9418905 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -70,7 +70,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -118,9 +118,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-issues-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -140,11 +140,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, upload_asset, missing_tool, missing_data, noop @@ -180,7 +180,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -236,10 +236,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -317,7 +317,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -388,9 +388,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -415,15 +415,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.", @@ -434,7 +434,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -557,7 +557,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -582,8 +582,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -594,7 +594,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -656,7 +656,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -705,7 +705,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -753,15 +753,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -772,7 +772,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -800,18 +800,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -901,9 +901,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -940,9 +940,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1003,7 +1003,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1028,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1066,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1107,7 +1107,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1154,7 +1154,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1180,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1211,7 +1211,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1256,7 +1256,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1312,8 +1312,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index c798a718c02..747bdea3a0f 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-malicious-code-scan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,10 +123,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_code_scanning_alert, missing_tool, missing_data, noop @@ -160,7 +160,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -196,10 +196,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -271,7 +271,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -300,9 +300,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -324,22 +324,22 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_code_scanning_alert":{"max":0},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": {}, "repo_params": {}, "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_code_scanning_alert": { "defaultMax": 40, @@ -441,7 +441,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -466,8 +466,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -478,7 +478,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -508,7 +508,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -557,7 +557,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -633,15 +633,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -650,7 +650,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -678,18 +678,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -752,7 +752,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -777,9 +777,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -791,9 +791,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -813,9 +813,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -831,9 +831,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -868,7 +868,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -894,9 +894,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 36645b96ef9..0bedac6ab57 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-mcp-concurrency-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,11 +123,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_agent_session, missing_tool, missing_data, noop @@ -161,7 +161,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -204,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -284,7 +284,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -323,9 +323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -347,15 +347,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_agent_session":{"max":3},"create_issue":{"expires":168,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_agent_session": " CONSTRAINTS: Maximum 3 agent task(s) can be created.", @@ -365,7 +365,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_agent_session": { "defaultMax": 1, @@ -474,7 +474,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -499,8 +499,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -511,7 +511,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -541,7 +541,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -605,7 +605,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -703,15 +703,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -720,7 +720,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -748,18 +748,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -840,9 +840,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -893,9 +893,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -954,7 +954,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate GitHub App token id: safe-outputs-app-token uses: actions/create-github-app-token@a7f885bf4560200d03183ed941cb6fb072e4b343 # v3.0.0-beta.4 @@ -990,9 +990,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1004,9 +1004,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1026,9 +1026,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' @@ -1098,7 +1098,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1135,9 +1135,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -1148,7 +1148,7 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); - name: Invalidate GitHub App token @@ -1191,7 +1191,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 8fd38bb226b..09d7d781cd1 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -69,7 +69,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,7 +95,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -113,9 +113,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-multi-device-docs-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -136,11 +136,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, upload_asset, missing_tool, missing_data, noop @@ -176,7 +176,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -220,10 +220,10 @@ jobs: GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -296,7 +296,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -325,9 +325,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -352,15 +352,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"cookie\"] will be automatically added.", @@ -370,7 +370,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -473,7 +473,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -498,8 +498,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -510,7 +510,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -543,7 +543,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -615,7 +615,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -782,15 +782,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -800,7 +800,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -828,18 +828,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -921,9 +921,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -984,9 +984,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1045,7 +1045,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1106,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1124,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1163,7 +1163,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1189,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1222,7 +1222,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1278,8 +1278,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 6b1a48c6f24..e087c816e49 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -104,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-news.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,12 +127,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -224,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -312,7 +312,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -429,7 +429,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -452,9 +452,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -476,15 +476,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"daily-news\".", @@ -494,7 +494,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -590,7 +590,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -615,8 +615,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -627,7 +627,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -661,7 +661,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -730,7 +730,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -810,15 +810,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -828,7 +828,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -856,18 +856,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -966,9 +966,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1019,9 +1019,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1083,7 +1083,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1108,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1122,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1150,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1168,9 +1168,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1197,7 +1197,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1240,9 +1240,9 @@ jobs: FILE_GLOB_FILTER: "memory/daily-news/*.json memory/daily-news/*.jsonl memory/daily-news/*.csv memory/daily-news/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1278,7 +1278,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1304,9 +1304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1335,7 +1335,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1380,7 +1380,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1436,8 +1436,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 5a17b7edb98..5351bc06130 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -110,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-observability-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,11 +132,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -170,7 +170,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -208,10 +208,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -286,7 +286,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -345,9 +345,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -384,27 +384,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.", @@ -414,7 +414,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -528,7 +528,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -553,8 +553,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -565,7 +565,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -635,7 +635,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -701,7 +701,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -746,15 +746,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -765,7 +765,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -793,18 +793,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -879,9 +879,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -918,9 +918,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -979,7 +979,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1004,9 +1004,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1018,9 +1018,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1060,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1083,7 +1083,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1092,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1130,7 +1130,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1156,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 270bdeea9a3..a0853f7f5c3 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-performance-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -131,11 +131,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, upload_asset, missing_tool, missing_data, noop @@ -171,7 +171,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -217,10 +217,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -298,7 +298,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -360,9 +360,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -384,15 +384,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.", @@ -403,7 +403,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -526,7 +526,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -551,8 +551,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -563,16 +563,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "github-discussion-query", @@ -663,7 +663,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -672,17 +672,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -818,8 +818,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -899,8 +899,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -986,7 +986,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1019,7 +1019,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1055,7 +1055,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1118,7 +1118,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1197,15 +1197,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1215,7 +1215,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1243,27 +1243,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1354,9 +1354,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1406,9 +1406,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1469,7 +1469,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1494,9 +1494,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1508,9 +1508,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1533,9 +1533,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1551,9 +1551,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1589,7 +1589,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1615,9 +1615,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1646,7 +1646,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1691,7 +1691,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1747,8 +1747,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 99f3d6ea2bb..dcab688bd0c 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-regulatory.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,10 +130,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -207,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -285,7 +285,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -314,9 +314,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -338,15 +338,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.", @@ -356,7 +356,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -470,7 +470,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -495,8 +495,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -507,16 +507,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "github-discussion-query", @@ -607,7 +607,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -616,17 +616,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -762,8 +762,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -843,8 +843,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -930,7 +930,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -963,7 +963,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -996,7 +996,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1059,7 +1059,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1135,15 +1135,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1153,7 +1153,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1181,27 +1181,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1277,9 +1277,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1329,9 +1329,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1390,7 +1390,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1415,9 +1415,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1429,9 +1429,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1454,9 +1454,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1472,9 +1472,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1510,7 +1510,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1536,9 +1536,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 6b7734743a5..772d1d9ccb7 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -67,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +93,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -111,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-rendering-scripts-verifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,17 +133,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -175,7 +175,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -219,10 +219,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -299,7 +299,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -368,9 +368,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -407,27 +407,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":72,"max":1,"reviewers":["copilot"],"title_prefix":"[rendering-scripts] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[rendering-scripts] \". Labels [\"rendering\" \"javascript\" \"automated-fix\"] will be automatically added. Reviewers [\"copilot\"] will be assigned." @@ -436,7 +436,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -533,7 +533,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -558,8 +558,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -570,7 +570,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -600,7 +600,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -666,7 +666,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -820,15 +820,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -838,7 +838,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -866,18 +866,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -957,9 +957,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1020,9 +1020,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1082,7 +1082,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1107,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1121,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1145,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1163,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1178,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1201,7 +1201,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1210,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1233,9 +1233,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1275,7 +1275,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1330,9 +1330,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1361,7 +1361,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 9858a9402c1..1b5c41f6d9d 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-repo-chronicle.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,11 +124,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -164,7 +164,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -209,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -352,9 +352,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -376,15 +376,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"📰 \". Discussions will be created in category \"announcements\".", @@ -394,7 +394,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -490,7 +490,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -515,8 +515,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -527,7 +527,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -560,7 +560,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -609,7 +609,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -688,15 +688,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -705,7 +705,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -733,18 +733,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -834,9 +834,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -887,9 +887,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -950,7 +950,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -975,9 +975,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -989,9 +989,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1031,9 +1031,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1069,7 +1069,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1095,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1126,7 +1126,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1171,7 +1171,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1227,8 +1227,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index c1a1ff38b32..ab02c8c9dcd 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -1,4 +1,3 @@ -# # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -63,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-safe-output-integrator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +123,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -164,7 +163,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -201,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -278,7 +277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -307,9 +306,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -331,15 +330,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":72,"max":1,"title_prefix":"[safe-output-integrator] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[safe-output-integrator] \". Labels [\"safe-outputs\" \"testing\" \"automation\"] will be automatically added." @@ -348,7 +347,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -445,7 +444,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -470,8 +469,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -482,7 +481,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -512,7 +511,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -561,7 +560,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -671,15 +670,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -688,7 +687,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -716,18 +715,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -803,9 +802,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -856,9 +855,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -917,7 +916,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -942,9 +941,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -956,9 +955,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -980,9 +979,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -998,9 +997,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1013,9 +1012,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1055,7 +1054,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1110,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 7b2827a91d2..8159facb090 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -68,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,7 +94,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -112,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-safe-output-optimizer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,12 +134,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -173,7 +173,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -219,10 +219,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -299,7 +299,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -375,9 +375,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -414,27 +414,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[safeoutputs] \". Labels [\"bug\" \"safe-outputs\" \"tool-improvement\" \"automated-analysis\" \"cookie\"] will be automatically added." @@ -443,7 +443,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -537,7 +537,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -562,8 +562,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -574,7 +574,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -604,7 +604,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -670,7 +670,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -809,15 +809,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -827,7 +827,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -855,18 +855,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -945,9 +945,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1008,9 +1008,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1069,7 +1069,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1093,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1106,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1144,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1167,7 +1167,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1176,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1199,9 +1199,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1237,7 +1237,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1263,9 +1263,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1294,7 +1294,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 7322b778e05..1eb2d247e41 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-safe-outputs-conformance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,10 +129,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -203,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -277,7 +277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -306,9 +306,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -333,15 +333,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[Safe Outputs Conformance] \". Labels [\"safe-outputs\" \"conformance\" \"automated\"] will be automatically added." @@ -350,7 +350,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -444,7 +444,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -469,8 +469,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -481,7 +481,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -510,7 +510,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -558,7 +558,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -678,15 +678,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -696,7 +696,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -724,18 +724,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -808,9 +808,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -871,9 +871,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -931,7 +931,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -956,9 +956,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -970,9 +970,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -992,9 +992,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1010,9 +1010,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1049,7 +1049,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1075,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 902b7c57dc2..82a81cd326b 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-secrets-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,10 +123,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -160,7 +160,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -197,10 +197,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -275,7 +275,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -304,9 +304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -328,15 +328,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.", @@ -346,7 +346,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -460,7 +460,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -485,8 +485,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -497,7 +497,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -527,7 +527,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -576,7 +576,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -652,15 +652,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -669,7 +669,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -697,18 +697,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -783,9 +783,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -836,9 +836,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -897,7 +897,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -922,9 +922,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -936,9 +936,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -960,9 +960,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -978,9 +978,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1016,7 +1016,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 86ebfa4f95d..43254374ed5 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-security-red-team.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,10 +130,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -206,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -281,7 +281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -310,9 +310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -337,15 +337,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"🚨 [SECURITY]\". Labels [\"security\" \"red-team\"] will be automatically added." @@ -354,7 +354,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -448,7 +448,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -473,8 +473,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -485,7 +485,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -514,7 +514,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -562,7 +562,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -682,15 +682,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -700,7 +700,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -728,18 +728,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -812,9 +812,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -875,9 +875,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -935,7 +935,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -960,9 +960,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -974,9 +974,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -996,9 +996,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1014,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1053,7 +1053,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index acebb665599..b86a605273a 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-semgrep-scan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,10 +129,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_code_scanning_alert, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -201,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -278,7 +278,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -307,9 +307,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -331,22 +331,22 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine semgrep/semgrep:latest - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_code_scanning_alert":{"max":0},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": {}, "repo_params": {}, "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_code_scanning_alert": { "defaultMax": 40, @@ -448,7 +448,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -473,8 +473,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -485,7 +485,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -515,7 +515,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -584,7 +584,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -659,15 +659,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -677,7 +677,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -705,18 +705,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -791,9 +791,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -843,9 +843,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -903,7 +903,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -927,9 +927,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -940,9 +940,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -962,9 +962,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -979,9 +979,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1015,7 +1015,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1041,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index fd5e1445511..038651104b5 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-syntax-error-quality.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,10 +123,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -160,7 +160,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -197,10 +197,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -274,7 +274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -316,9 +316,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -340,15 +340,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[syntax-error-quality] \". Labels [\"dx\" \"error-messages\" \"automated-analysis\"] will be automatically added." @@ -357,7 +357,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -451,7 +451,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -476,8 +476,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -488,7 +488,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -518,7 +518,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -567,7 +567,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -664,15 +664,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -681,7 +681,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -709,18 +709,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -795,9 +795,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -848,9 +848,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -908,7 +908,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -933,9 +933,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -947,9 +947,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -969,9 +969,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -987,9 +987,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1026,7 +1026,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index b1cb53928e9..d96e5553c7b 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-team-evolution-insights.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,10 +129,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -203,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -280,7 +280,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -309,9 +309,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -336,15 +336,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -353,7 +353,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -440,7 +440,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -465,8 +465,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -477,7 +477,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -506,7 +506,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -554,7 +554,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -674,15 +674,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -692,7 +692,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -720,18 +720,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -804,9 +804,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -867,9 +867,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -928,7 +928,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -953,9 +953,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -967,9 +967,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -991,9 +991,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1009,9 +1009,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1047,7 +1047,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1073,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 82ffa023ab8..cee1bbdb182 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -72,7 +72,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -98,7 +98,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -116,9 +116,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-team-status.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -138,10 +138,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -175,7 +175,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -211,10 +211,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -288,7 +288,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -317,9 +317,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -341,15 +341,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[team-status] \". Labels [\"automation\" \"daily-report\"] will be automatically added." @@ -358,7 +358,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -452,7 +452,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -477,8 +477,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -489,7 +489,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -519,7 +519,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -568,7 +568,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -643,15 +643,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -661,7 +661,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -689,18 +689,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -775,9 +775,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -827,9 +827,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -887,7 +887,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -914,9 +914,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -930,9 +930,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -955,9 +955,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -975,9 +975,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -998,7 +998,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check stop-time limit id: check_stop_time uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1007,9 +1007,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Daily Team Status" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_stop_time.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_stop_time.cjs'); await main(); safe_outputs: @@ -1048,7 +1048,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1074,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 55eaeaa2a99..5d0fe7d2633 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -68,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-testify-uber-super-expert.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,11 +130,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -221,10 +221,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -305,7 +305,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -321,7 +321,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -344,9 +344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -368,15 +368,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":51200,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[testify-expert] \". Labels [\"testing\" \"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added." @@ -385,7 +385,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -479,7 +479,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -504,8 +504,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -516,7 +516,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -546,7 +546,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -610,7 +610,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -707,15 +707,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -724,7 +724,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -752,18 +752,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -847,9 +847,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -900,9 +900,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -961,7 +961,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate GitHub App token id: safe-outputs-app-token uses: actions/create-github-app-token@a7f885bf4560200d03183ed941cb6fb072e4b343 # v3.0.0-beta.4 @@ -997,9 +997,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1011,9 +1011,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1037,9 +1037,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1055,9 +1055,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' @@ -1091,7 +1091,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1100,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1123,9 +1123,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); push_repo_memory: @@ -1152,7 +1152,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1195,9 +1195,9 @@ jobs: FILE_GLOB_FILTER: "memory/testify-expert/*.json memory/testify-expert/*.txt" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1234,7 +1234,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1271,9 +1271,9 @@ jobs: with: github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.safe-outputs-app-token.outputs.token != '' diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index f8f6a5f25de..5d5d39794e6 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -58,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,9 +97,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-workflow-updater.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,15 +119,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -159,7 +159,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -191,10 +191,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -268,7 +268,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -297,9 +297,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -321,15 +321,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"title_prefix":"[actions] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[actions] \". Labels [\"dependencies\" \"automation\"] will be automatically added." @@ -338,7 +338,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -435,7 +435,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -460,8 +460,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -472,7 +472,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -502,7 +502,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -551,7 +551,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -627,15 +627,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -644,7 +644,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -672,18 +672,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -759,9 +759,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -812,9 +812,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -873,7 +873,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -898,9 +898,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -912,9 +912,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -936,9 +936,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -954,9 +954,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -969,9 +969,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1011,7 +1011,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1066,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 7b423fd3568..82b3348d705 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -104,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dead-code-remover.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,16 +127,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -211,10 +211,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -293,7 +293,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -342,9 +342,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -366,15 +366,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":72,"max":1,"reviewers":["copilot"],"title_prefix":"[dead-code] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[dead-code] \". Labels [\"chore\" \"dead-code\"] will be automatically added. Reviewers [\"copilot\"] will be assigned." @@ -383,7 +383,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -480,7 +480,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -505,8 +505,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -517,7 +517,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -547,7 +547,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -596,7 +596,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -672,15 +672,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -689,7 +689,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -717,18 +717,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -810,9 +810,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -863,9 +863,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -925,7 +925,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -949,9 +949,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -962,9 +962,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -985,9 +985,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1002,9 +1002,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1016,9 +1016,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1039,7 +1039,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1048,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1071,9 +1071,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1112,7 +1112,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1167,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1198,7 +1198,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 2053d9d6e5c..da0f4a63538 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "deep-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,13 +132,13 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, upload_asset, missing_tool, missing_data, noop @@ -174,7 +174,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -224,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -311,7 +311,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -375,7 +375,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -398,9 +398,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -437,27 +437,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":1048576,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"reports\".", @@ -468,7 +468,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -597,7 +597,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -622,8 +622,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -634,7 +634,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -707,7 +707,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -773,7 +773,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -821,15 +821,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -840,7 +840,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -868,18 +868,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -978,9 +978,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1017,9 +1017,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1081,7 +1081,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1106,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1120,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1148,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1166,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1195,7 +1195,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1238,9 +1238,9 @@ jobs: FILE_GLOB_FILTER: "memory/deep-report/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1278,7 +1278,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1304,9 +1304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1335,7 +1335,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1380,7 +1380,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1436,8 +1436,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index e2a193abef9..1051ce7df0f 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "delight.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,11 +125,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, missing_tool, missing_data, noop @@ -163,7 +163,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -209,10 +209,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -293,7 +293,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -312,7 +312,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -335,9 +335,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -359,15 +359,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -377,7 +377,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -497,7 +497,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -522,8 +522,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -534,7 +534,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -564,7 +564,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -613,7 +613,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -712,15 +712,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -729,7 +729,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -757,18 +757,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -852,9 +852,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -905,9 +905,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -967,7 +967,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -992,9 +992,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1006,9 +1006,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1053,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1082,7 +1082,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1125,9 +1125,9 @@ jobs: FILE_GLOB_FILTER: "memory/delight/*.json memory/delight/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1166,7 +1166,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1192,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 18e8954c0bb..f4c1f5dabe2 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dependabot-burner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,10 +130,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -203,10 +203,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -280,7 +280,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -309,9 +309,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -333,15 +333,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[dependabot-burner] \"." @@ -350,7 +350,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -444,7 +444,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -469,8 +469,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -481,7 +481,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -511,7 +511,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -560,7 +560,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -635,15 +635,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -653,7 +653,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -681,18 +681,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -767,9 +767,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -819,9 +819,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -879,7 +879,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -903,9 +903,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -916,9 +916,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -938,9 +938,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -955,9 +955,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -978,7 +978,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -987,9 +987,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1025,7 +1025,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1051,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 93b6917da3d..d7fcb4480c8 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +88,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dependabot-go-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,10 +128,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_issue, missing_tool, missing_data, noop @@ -165,7 +165,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -201,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -279,7 +279,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -308,9 +308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -332,15 +332,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_issue":{"max":20,"required_title_prefix":"[deps]","target":"*"},"create_issue":{"expires":48,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "close_issue": " CONSTRAINTS: Maximum 20 issue(s) can be closed. Target: *. Only issues with title prefix \"[deps]\" can be closed.", @@ -350,7 +350,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_issue": { "defaultMax": 1, @@ -462,7 +462,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -487,8 +487,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -499,7 +499,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -529,7 +529,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -578,7 +578,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -653,15 +653,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -671,7 +671,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -699,18 +699,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -785,9 +785,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -837,9 +837,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -897,7 +897,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -921,9 +921,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -934,9 +934,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -956,9 +956,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -973,9 +973,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1011,7 +1011,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1037,9 +1037,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 709c3914f5c..7a8e2856fac 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -68,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dev-hawk.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -135,11 +135,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -173,7 +173,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -219,10 +219,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -303,7 +303,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -362,9 +362,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -398,27 +398,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added. Target: *." @@ -427,7 +427,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -506,7 +506,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -531,8 +531,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -543,7 +543,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -574,7 +574,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -642,7 +642,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -734,15 +734,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -751,7 +751,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -779,18 +779,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -865,9 +865,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -918,9 +918,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -980,7 +980,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1004,9 +1004,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1017,9 +1017,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1039,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1056,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1080,7 +1080,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1089,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1130,7 +1130,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1156,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 6b990a01f75..efeda6163b6 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -57,7 +57,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,9 +96,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dev.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,10 +118,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -155,7 +155,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -187,10 +187,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -264,7 +264,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -293,9 +293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -317,15 +317,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[Daily Report] \"." @@ -334,7 +334,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -428,7 +428,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -453,8 +453,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -465,7 +465,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -495,7 +495,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -544,7 +544,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -620,15 +620,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -637,7 +637,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -665,18 +665,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -751,9 +751,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -804,9 +804,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -864,7 +864,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -888,9 +888,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -901,9 +901,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -922,9 +922,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -939,9 +939,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -977,7 +977,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1003,9 +1003,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 6e8a6d9ba33..24230a7d10a 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "developer-docs-consolidator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -131,17 +131,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -173,7 +173,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -225,10 +225,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -310,7 +310,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -353,7 +353,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -376,9 +376,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -403,15 +403,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -421,7 +421,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -544,7 +544,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -569,8 +569,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -581,16 +581,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -618,7 +618,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -627,17 +627,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -649,7 +649,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -681,7 +681,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -712,7 +712,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -797,7 +797,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -946,15 +946,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -964,7 +964,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -992,27 +992,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1102,9 +1102,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1165,9 +1165,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1229,7 +1229,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1253,9 +1253,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1266,9 +1266,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1295,9 +1295,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1312,9 +1312,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1326,9 +1326,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1355,7 +1355,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1398,9 +1398,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1440,7 +1440,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1495,9 +1495,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1526,7 +1526,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 63955d3d9b2..8627cc384b2 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dictation-prompt.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,15 +123,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -163,7 +163,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -201,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -278,7 +278,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -324,9 +324,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -348,15 +348,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"auto_merge":true,"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added." @@ -365,7 +365,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -462,7 +462,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -487,8 +487,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -499,16 +499,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -536,7 +536,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -545,17 +545,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -567,7 +567,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -599,7 +599,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -631,7 +631,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -694,7 +694,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -770,15 +770,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -787,7 +787,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -815,27 +815,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -912,9 +912,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -965,9 +965,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1026,7 +1026,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1050,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1063,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1086,9 +1086,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1103,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1117,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1158,7 +1158,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1213,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index b8b746b1bb2..faf5484deed 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -105,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "discussion-task-miner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,11 +128,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -210,10 +210,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -294,7 +294,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -313,7 +313,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,9 +336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -360,15 +360,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3},"create_issue":{"expires":24,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 3 comment(s) can be added.", @@ -378,7 +378,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -490,7 +490,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -515,8 +515,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -527,7 +527,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -557,7 +557,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -607,7 +607,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -704,15 +704,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -721,7 +721,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -749,18 +749,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -844,9 +844,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -897,9 +897,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -960,7 +960,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -985,9 +985,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -999,9 +999,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1026,9 +1026,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1073,7 +1073,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1116,9 +1116,9 @@ jobs: FILE_GLOB_FILTER: "memory/discussion-task-miner/*.json memory/discussion-task-miner/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1160,7 +1160,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1186,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 68e53b70f57..23038f31d13 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "docs-noob-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,11 +124,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -164,7 +164,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -204,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -281,7 +281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -310,9 +310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -334,15 +334,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -352,7 +352,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -448,7 +448,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -473,8 +473,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -485,7 +485,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -519,7 +519,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -582,7 +582,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -662,15 +662,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -679,7 +679,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -707,18 +707,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -802,9 +802,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -855,9 +855,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -917,7 +917,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -941,9 +941,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -954,9 +954,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -977,9 +977,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -994,9 +994,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1031,7 +1031,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1057,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1090,7 +1090,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1145,8 +1145,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 40939ecc807..ff07af5be9e 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -58,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,9 +97,9 @@ jobs: GH_AW_WORKFLOW_FILE: "draft-pr-cleanup.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,10 +119,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, close_pull_request, add_labels, missing_tool, missing_data, noop @@ -156,7 +156,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -190,10 +190,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -266,7 +266,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -295,9 +295,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -319,15 +319,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":20},"add_labels":{"max":20},"close_pull_request":{"max":10,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 20 comment(s) can be added.", @@ -338,7 +338,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -454,7 +454,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -479,8 +479,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -491,7 +491,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -521,7 +521,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -570,7 +570,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -662,15 +662,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -679,7 +679,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -707,18 +707,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -793,9 +793,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -846,9 +846,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -908,7 +908,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -932,9 +932,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -945,9 +945,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -967,9 +967,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -984,9 +984,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1025,7 +1025,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1051,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index e137248c0d3..54a162e3fc7 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "duplicate-code-detector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,10 +132,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -169,7 +169,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -212,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -288,7 +288,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -317,9 +317,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -344,15 +344,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned." @@ -361,7 +361,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -455,7 +455,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -480,8 +480,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -492,7 +492,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -572,7 +572,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -643,7 +643,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -688,15 +688,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -707,7 +707,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -735,18 +735,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -821,9 +821,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -860,9 +860,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -920,7 +920,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -944,9 +944,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -957,9 +957,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -978,9 +978,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -995,9 +995,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1033,7 +1033,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1060,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1072,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 1a87ab75c49..17bed4848e4 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -56,7 +56,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,7 +82,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -100,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "example-permissions-warning.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,9 +121,9 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -154,7 +154,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -186,10 +186,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -247,7 +247,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -276,9 +276,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -323,7 +323,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -358,7 +358,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -432,15 +432,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -450,7 +450,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -458,18 +458,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 5377e573fdc..4a36a63452a 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "example-workflow-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -202,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -278,7 +278,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -337,9 +337,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -376,27 +376,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[workflow-analysis] \". Discussions will be created in category \"audits\"." @@ -405,7 +405,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -492,7 +492,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -517,8 +517,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -529,7 +529,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -559,7 +559,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -625,7 +625,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -745,15 +745,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -763,7 +763,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -791,18 +791,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -875,9 +875,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -938,9 +938,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -999,7 +999,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1023,9 +1023,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1036,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1076,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1113,7 +1113,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1139,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index c6d5c86606f..235b67763e7 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -71,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -110,18 +110,18 @@ jobs: GH_AW_WORKFLOW_FILE: "firewall-escape.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -142,12 +142,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -181,7 +181,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -224,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -311,7 +311,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -337,7 +337,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -360,9 +360,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -384,15 +384,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":524288,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Firewall Escape] \". Discussions will be created in category \"audits\"." @@ -401,7 +401,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -488,7 +488,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -513,8 +513,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -525,7 +525,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -555,7 +555,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -604,7 +604,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -680,15 +680,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -697,7 +697,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -725,18 +725,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -826,9 +826,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -879,9 +879,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -942,7 +942,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -967,9 +967,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -981,9 +981,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1009,9 +1009,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1027,9 +1027,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); post-issue: @@ -1082,7 +1082,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1120,7 +1120,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1162,9 +1162,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1200,7 +1200,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1226,9 +1226,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1257,7 +1257,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 28c89afbc46..09edae9f0d7 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -56,7 +56,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,7 +82,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -100,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "firewall.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,9 +121,9 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -154,7 +154,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -188,10 +188,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -249,7 +249,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -278,9 +278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -325,7 +325,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -360,7 +360,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -434,15 +434,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -452,7 +452,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -460,18 +460,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index aaa69dfb2ec..bb8b161e24e 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +88,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "functional-pragmatist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +128,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -205,10 +205,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -281,7 +281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -310,9 +310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -334,15 +334,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[fp-enhancer] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[fp-enhancer] \". Labels [\"refactoring\" \"functional\" \"immutability\" \"code-quality\"] will be automatically added. Reviewers [\"copilot\"] will be assigned." @@ -351,7 +351,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -448,7 +448,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -473,8 +473,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -485,7 +485,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -515,7 +515,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -564,7 +564,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -639,15 +639,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -657,7 +657,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -685,18 +685,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -772,9 +772,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -824,9 +824,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -885,7 +885,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -910,9 +910,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -924,9 +924,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -949,9 +949,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -967,9 +967,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -982,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1024,7 +1024,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 26e02cf704e..4322ada4e26 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-mcp-structural-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -169,7 +169,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -212,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -293,7 +293,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -355,9 +355,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -382,15 +382,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[mcp-analysis] \". Discussions will be created in category \"audits\".", @@ -400,7 +400,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -496,7 +496,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -521,8 +521,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -533,7 +533,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -565,7 +565,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -613,7 +613,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -740,15 +740,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -758,7 +758,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -786,18 +786,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -885,9 +885,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -948,9 +948,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1011,7 +1011,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1048,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1071,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1088,9 +1088,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1125,7 +1125,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1151,9 +1151,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1182,7 +1182,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1227,7 +1227,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1282,8 +1282,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index cf9e75b3c1c..d06fdcceb4f 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-mcp-tools-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,16 +129,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -170,7 +170,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -209,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -329,9 +329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -356,15 +356,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[mcp-tools] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -374,7 +374,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -497,7 +497,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -522,8 +522,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -534,7 +534,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -563,7 +563,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -611,7 +611,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -735,15 +735,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -753,7 +753,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -781,18 +781,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -872,9 +872,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -935,9 +935,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -998,7 +998,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1022,9 +1022,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1060,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1133,7 +1133,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1188,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1219,7 +1219,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 6d9b473c8bb..a3964ef78d7 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -59,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +85,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-remote-mcp-auth-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,10 +126,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -163,7 +163,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -199,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -276,7 +276,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -305,9 +305,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -329,15 +329,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[auth-test] \". Discussions will be created in category \"audits\"." @@ -346,7 +346,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -433,7 +433,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -458,8 +458,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -470,7 +470,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -501,7 +501,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_PERSONAL_ACCESS_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -558,7 +558,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -633,15 +633,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -651,7 +651,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -679,18 +679,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -765,9 +765,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -817,9 +817,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -878,7 +878,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -902,9 +902,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -915,9 +915,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -939,9 +939,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -956,9 +956,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -994,7 +994,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1020,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index ac7e8900190..bbb886e26a1 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "glossary-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -131,17 +131,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -173,7 +173,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -227,10 +227,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -313,7 +313,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -367,7 +367,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -390,9 +390,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -414,15 +414,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"glossary\"] will be automatically added." @@ -431,7 +431,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -528,7 +528,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -553,8 +553,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -565,16 +565,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -602,7 +602,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -611,17 +611,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -633,7 +633,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -665,7 +665,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -697,7 +697,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -775,7 +775,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -879,15 +879,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -897,7 +897,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -925,27 +925,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1037,9 +1037,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1089,9 +1089,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1152,7 +1152,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1176,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1189,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1217,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1234,9 +1234,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1248,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1277,7 +1277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1320,9 +1320,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1361,7 +1361,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1416,9 +1416,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1447,7 +1447,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 210c7d324ef..dd717ab50db 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-fan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -211,10 +211,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -329,9 +329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -356,15 +356,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[go-fan] \". Discussions will be created in category \"audits\"." @@ -373,7 +373,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -460,7 +460,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -485,8 +485,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -497,7 +497,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -526,7 +526,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -597,7 +597,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -739,15 +739,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -757,7 +757,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -785,18 +785,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -875,9 +875,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -938,9 +938,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1000,7 +1000,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1025,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1039,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1063,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1081,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1119,7 +1119,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1145,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1176,7 +1176,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 236ff7f8ad5..0ce0962d3dd 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-logger.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,16 +129,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -170,7 +170,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -208,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -286,7 +286,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -341,9 +341,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -368,15 +368,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[log] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[log] \". Labels [\"enhancement\" \"automation\"] will be automatically added." @@ -385,7 +385,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -482,7 +482,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -507,8 +507,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -519,16 +519,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "go", @@ -569,7 +569,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -578,17 +578,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -600,8 +600,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -612,7 +612,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -644,7 +644,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -675,7 +675,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -737,7 +737,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -889,15 +889,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -907,7 +907,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -935,27 +935,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1036,9 +1036,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1099,9 +1099,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1161,7 +1161,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1185,9 +1185,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1221,9 +1221,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1238,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1252,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1293,7 +1293,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1348,9 +1348,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1379,7 +1379,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 33f739612d9..a5f0dbd215e 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-pattern-detector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,10 +130,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -209,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -288,7 +288,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -317,9 +317,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -344,15 +344,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/ast-grep:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ast-grep] \". Labels [\"code-quality\" \"ast-grep\" \"cookie\"] will be automatically added." @@ -361,7 +361,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -455,7 +455,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -480,8 +480,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -492,7 +492,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -521,7 +521,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "ast-grep": { @@ -583,7 +583,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -704,15 +704,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -722,7 +722,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -750,18 +750,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -834,9 +834,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -897,9 +897,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -991,7 +991,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1028,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1049,9 +1049,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1066,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1104,7 +1104,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 00b4d49d1ed..c86de2a9d12 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "gpclean.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -206,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -285,7 +285,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -330,9 +330,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -354,15 +354,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[gpl-dependency]\". Labels [\"dependency-cleaner\"] will be automatically added." @@ -371,7 +371,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -465,7 +465,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -490,8 +490,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -502,7 +502,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -532,7 +532,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -581,7 +581,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -656,15 +656,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -674,7 +674,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -702,18 +702,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -794,9 +794,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -846,9 +846,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -907,7 +907,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -931,9 +931,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -944,9 +944,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -966,9 +966,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -983,9 +983,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1021,7 +1021,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1047,9 +1047,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1078,7 +1078,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index e44b659f38c..35c01e9fbc2 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -76,7 +76,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -105,7 +105,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -126,9 +126,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -136,18 +136,18 @@ jobs: GH_AW_WORKFLOW_FILE: "grumpy-reviewer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -158,9 +158,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 😤 *Reluctantly reviewed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"😤 *sigh* [{workflow_name}]({run_url}) is begrudgingly looking at this {event_type}... This better be worth my time.\",\"runSuccess\":\"😤 Fine. [{workflow_name}]({run_url}) finished the review. It wasn't completely terrible. I guess. 🙄\",\"runFailure\":\"😤 Great. [{workflow_name}]({run_url}) {status}. As if my day couldn't get any worse...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -182,11 +182,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -220,9 +220,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -265,10 +265,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -345,7 +345,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -384,9 +384,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -408,15 +408,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request_review_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request_review_comment": " CONSTRAINTS: Maximum 5 review comment(s) can be created. Comments will be on the RIGHT side of the diff.", @@ -426,7 +426,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request_review_comment": { "defaultMax": 1, @@ -542,7 +542,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -567,8 +567,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -579,7 +579,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -609,7 +609,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -659,7 +659,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -734,15 +734,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -752,7 +752,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -781,18 +781,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -873,9 +873,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -925,9 +925,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -986,7 +986,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1010,9 +1010,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1023,9 +1023,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1046,9 +1046,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1063,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1082,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1109,7 +1109,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1118,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1129,9 +1129,9 @@ jobs: GH_AW_COMMANDS: "[\"grumpy\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1166,7 +1166,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1192,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1223,7 +1223,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 7a6469c624d..0df67daf4ad 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "hourly-ci-cleaner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,15 +133,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -173,7 +173,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -215,10 +215,10 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -298,7 +298,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -360,9 +360,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -384,15 +384,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ca] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ca] \"." @@ -401,7 +401,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -498,7 +498,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -523,8 +523,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -535,7 +535,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -565,7 +565,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -614,7 +614,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -689,15 +689,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -707,7 +707,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -735,18 +735,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -822,9 +822,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -874,9 +874,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -982,7 +982,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1007,9 +1007,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1023,9 +1023,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1048,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1066,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1081,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1123,7 +1123,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1178,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 3ceba3f5c52..433e50ae1ab 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -59,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +85,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -103,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "instructions-janitor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +125,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -201,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -279,7 +279,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -318,9 +318,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -345,15 +345,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[instructions] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[instructions] \". Labels [\"documentation\" \"automation\" \"instructions\"] will be automatically added." @@ -362,7 +362,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -459,7 +459,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -484,8 +484,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -496,7 +496,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -525,7 +525,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -573,7 +573,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -720,15 +720,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -738,7 +738,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -766,18 +766,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -857,9 +857,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -920,9 +920,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -982,7 +982,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1006,9 +1006,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1019,9 +1019,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1073,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1114,7 +1114,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1169,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1200,7 +1200,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 0e537213126..de772a77b3e 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +93,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -112,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-arborist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,10 +134,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, link_sub_issue, missing_tool, missing_data, noop @@ -171,7 +171,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -210,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -284,7 +284,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -321,9 +321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -348,15 +348,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_issue":{"expires":48,"group":true,"max":5},"link_sub_issue":{"max":50},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Issue Arborist] \". Discussions will be created in category \"audits\".", @@ -367,7 +367,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -505,7 +505,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -530,8 +530,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -542,7 +542,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -601,7 +601,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -650,7 +650,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -695,15 +695,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -714,7 +714,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -742,18 +742,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -828,9 +828,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -867,9 +867,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -928,7 +928,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -952,9 +952,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -965,9 +965,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -988,9 +988,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1005,9 +1005,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1044,7 +1044,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 85ba0c0124f..ecd656f99ae 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -397,7 +397,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -426,7 +426,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -444,18 +444,18 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-monster.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -478,10 +478,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_agent, missing_tool, missing_data, noop @@ -515,7 +515,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -558,10 +558,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ISSUE_NUMBERS: ${{ needs.pre_activation.outputs.issue_numbers }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -636,7 +636,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -665,9 +665,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -689,15 +689,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3,"target":"*"},"assign_to_agent":{"allowed":["copilot"],"max":3,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 3 comment(s) can be added. Target: *.", @@ -707,7 +707,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -811,7 +811,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -836,8 +836,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -848,7 +848,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -878,7 +878,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -928,7 +928,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1003,15 +1003,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1021,7 +1021,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1049,18 +1049,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1135,9 +1135,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1187,9 +1187,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1249,7 +1249,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1273,9 +1273,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1286,9 +1286,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1311,9 +1311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1328,9 +1328,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1358,7 +1358,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1367,9 +1367,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1390,9 +1390,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); - name: Check skip-if-no-match query id: check_skip_if_no_match @@ -1404,9 +1404,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_no_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_no_match.cjs'); await main(); - name: Search for candidate issues id: search @@ -1770,7 +1770,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1796,9 +1796,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1812,9 +1812,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 6366f61181b..c5e4627b4b1 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -61,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-triage-agent.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,10 +130,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, add_labels, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -203,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -277,7 +277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -316,15 +316,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["bug","feature","enhancement","documentation","question","help-wanted","good-first-issue"],"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -334,7 +334,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -432,7 +432,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -457,8 +457,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -469,7 +469,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -499,7 +499,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -549,7 +549,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -624,15 +624,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -642,7 +642,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -670,18 +670,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -756,9 +756,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -808,9 +808,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,7 +870,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -894,9 +894,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -907,9 +907,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -928,9 +928,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -945,9 +945,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -985,7 +985,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1011,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 42940d24bd6..3a8d0fec916 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -59,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +85,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "jsweep.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +125,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -203,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -283,7 +283,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -331,9 +331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -355,15 +355,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"draft":true,"expires":48,"max":1,"title_prefix":"[jsweep] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[jsweep] \". Labels [\"unbloat\" \"automation\"] will be automatically added. PRs will be created as drafts." @@ -372,7 +372,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -469,7 +469,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -494,8 +494,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -506,7 +506,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -536,7 +536,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -600,7 +600,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -675,15 +675,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -693,7 +693,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -721,18 +721,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -814,9 +814,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -866,9 +866,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -928,7 +928,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -953,9 +953,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -967,9 +967,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -992,9 +992,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1010,9 +1010,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1025,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1067,7 +1067,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1153,7 +1153,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 7b29a238f72..e81576dcc7a 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -60,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +86,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "layout-spec-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +126,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -198,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -274,7 +274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -310,9 +310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -334,15 +334,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[specs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[specs] \". Labels [\"documentation\" \"automation\"] will be automatically added." @@ -351,7 +351,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -448,7 +448,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -473,8 +473,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -485,7 +485,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -515,7 +515,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -564,7 +564,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -668,15 +668,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -686,7 +686,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -714,18 +714,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -801,9 +801,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -853,9 +853,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -914,7 +914,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -939,9 +939,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -953,9 +953,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -978,9 +978,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -996,9 +996,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1011,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1053,7 +1053,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1108,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 5231707bf7e..1da925d9a5a 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "lockfile-stats.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -206,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -284,7 +284,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -323,9 +323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -350,15 +350,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -367,7 +367,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -454,7 +454,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -479,8 +479,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -491,7 +491,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -520,7 +520,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -568,7 +568,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -692,15 +692,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -710,7 +710,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -738,18 +738,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -828,9 +828,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -891,9 +891,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -953,7 +953,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -977,9 +977,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -990,9 +990,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1067,7 +1067,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1093,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1124,7 +1124,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index d00acfa585f..23f5eaebf38 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -78,7 +78,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -104,7 +104,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -122,9 +122,9 @@ jobs: GH_AW_WORKFLOW_FILE: "mcp-inspector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -144,12 +144,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -183,7 +183,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -266,10 +266,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -346,7 +346,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -426,9 +426,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -462,27 +462,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"notion-add-comment":{"description":"Add a comment to a Notion page","inputs":{"comment":{"default":null,"description":"The comment text to add","required":true,"type":"string"}},"output":"Comment added to Notion successfully!"},"post-to-slack-channel":{"description":"Post a message to a Slack channel. Message must be 200 characters or less. Supports basic Slack markdown: *bold*, _italic_, ~strike~, `code`, ```code block```, \u003equote, and links \u003curl|text\u003e. Requires GH_AW_SLACK_CHANNEL_ID environment variable to be set.","inputs":{"message":{"default":null,"description":"The message to post (max 200 characters, supports Slack markdown)","required":true,"type":"string"}},"output":"Message posted to Slack successfully!"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -526,7 +526,7 @@ jobs: ] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -613,7 +613,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -638,8 +638,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -650,7 +650,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -694,7 +694,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID -e BRAVE_API_KEY -e CONTEXT7_API_KEY -e DD_API_KEY -e DD_APPLICATION_KEY -e DD_SITE -e NOTION_API_TOKEN -e SENTRY_ACCESS_TOKEN -e SENTRY_HOST -e SENTRY_OPENAI_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1047,7 +1047,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1126,15 +1126,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID,BRAVE_API_KEY,CONTEXT7_API_KEY,COPILOT_GITHUB_TOKEN,DD_API_KEY,DD_APPLICATION_KEY,DD_SITE,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,NOTION_API_TOKEN,SENTRY_ACCESS_TOKEN,SENTRY_OPENAI_API_KEY,TAVILY_API_KEY' @@ -1156,7 +1156,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1184,18 +1184,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1276,9 +1276,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1328,9 +1328,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1392,7 +1392,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1416,9 +1416,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1429,9 +1429,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1453,9 +1453,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1470,9 +1470,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); notion_add_comment: @@ -1777,7 +1777,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1804,9 +1804,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1835,7 +1835,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index ae8d35d4e0f..569f355ceef 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -71,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +97,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -118,9 +118,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -128,18 +128,18 @@ jobs: GH_AW_WORKFLOW_FILE: "mergefest.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -149,9 +149,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Mergefest" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -172,15 +172,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -212,9 +212,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -253,10 +253,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -330,7 +330,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -362,9 +362,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -386,22 +386,22 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": {}, "repo_params": {}, "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -482,7 +482,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -507,8 +507,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -519,7 +519,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -549,7 +549,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -598,7 +598,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -712,15 +712,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -730,7 +730,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -759,18 +759,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -846,9 +846,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -898,9 +898,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -958,7 +958,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -982,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -995,9 +995,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1019,9 +1019,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1036,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1054,9 +1054,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1080,7 +1080,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1089,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1100,9 +1100,9 @@ jobs: GH_AW_COMMANDS: "[\"mergefest\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1140,7 +1140,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1195,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 9f1f2d47b40..22a9c945185 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -61,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +87,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "metrics-collector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,11 +127,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -162,7 +162,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -202,10 +202,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -274,7 +274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -320,7 +320,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -343,9 +343,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -379,12 +379,12 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 @@ -415,7 +415,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -469,7 +469,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -543,15 +543,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -561,7 +561,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -569,18 +569,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -640,7 +640,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -649,9 +649,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -678,7 +678,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -721,8 +721,8 @@ jobs: FILE_GLOB_FILTER: "metrics/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 586e3902def..0784be820c9 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "notion-issue-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,10 +132,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: missing_tool, missing_data, noop @@ -169,7 +169,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -206,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -279,7 +279,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -308,9 +308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -332,15 +332,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/notion node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"notion-add-comment":{"description":"Add a comment to a Notion page","inputs":{"comment":{"default":null,"description":"The comment text to add","required":true,"type":"string"}},"output":"Comment added to Notion successfully!"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": {}, "repo_params": {}, @@ -365,7 +365,7 @@ jobs: ] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -426,7 +426,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -451,8 +451,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -463,7 +463,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -494,7 +494,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e NOTION_API_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -563,7 +563,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -638,15 +638,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,NOTION_API_TOKEN' @@ -657,7 +657,7 @@ jobs: SECRET_NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -685,18 +685,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -757,7 +757,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -781,9 +781,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -794,9 +794,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -816,9 +816,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -833,9 +833,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); notion_add_comment: @@ -994,7 +994,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1021,9 +1021,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index cde88d5dbf9..d9390e8d632 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,7 +94,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -112,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "org-health-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,11 +134,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -174,7 +174,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -218,10 +218,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -299,7 +299,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -363,9 +363,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -387,15 +387,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"reports\".", @@ -405,7 +405,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -501,7 +501,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -526,8 +526,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -538,7 +538,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -571,7 +571,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -621,7 +621,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -699,15 +699,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -717,7 +717,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -745,18 +745,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -846,9 +846,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -898,9 +898,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -961,7 +961,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -985,9 +985,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -998,9 +998,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1022,9 +1022,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1039,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1076,7 +1076,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1102,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1133,7 +1133,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1178,7 +1178,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1233,8 +1233,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 66c3c279502..c9d77e1d8da 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -94,7 +94,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -120,7 +120,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -141,9 +141,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -151,18 +151,18 @@ jobs: GH_AW_WORKFLOW_FILE: "pdf-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -173,9 +173,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📄 *Summary compiled by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📖 Page by page! [{workflow_name}]({run_url}) is reading through this {event_type}...\",\"runSuccess\":\"📚 TL;DR ready! [{workflow_name}]({run_url}) has distilled the essence. Knowledge condensed! ✨\",\"runFailure\":\"📖 Reading interrupted! [{workflow_name}]({run_url}) {status}. The document remains unsummarized...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -200,11 +200,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_discussion, missing_tool, missing_data, noop @@ -238,9 +238,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -292,10 +292,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -377,7 +377,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -416,9 +416,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -440,15 +440,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -458,7 +458,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -563,7 +563,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -588,8 +588,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -600,7 +600,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -630,7 +630,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -693,7 +693,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -768,15 +768,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -786,7 +786,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -815,18 +815,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -907,9 +907,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -959,9 +959,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1022,7 +1022,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1046,9 +1046,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1101,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1120,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1149,7 +1149,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1158,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1169,9 +1169,9 @@ jobs: GH_AW_COMMANDS: "[\"summarize\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1210,7 +1210,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1236,9 +1236,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1267,7 +1267,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 3f9474f9f3a..d100ceb4e14 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -76,7 +76,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,7 +102,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -123,9 +123,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -133,18 +133,18 @@ jobs: GH_AW_WORKFLOW_FILE: "plan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -154,9 +154,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Plan Command" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -178,10 +178,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_discussion, missing_tool, missing_data, noop @@ -215,9 +215,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -258,10 +258,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -337,7 +337,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -366,9 +366,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -380,15 +380,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":1,"required_category":"Ideas"},"create_issue":{"expires":48,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "close_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be closed.", @@ -398,7 +398,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -519,7 +519,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -544,8 +544,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -556,7 +556,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -584,7 +584,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -633,7 +633,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -708,15 +708,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -726,7 +726,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -755,18 +755,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -841,9 +841,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -893,9 +893,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -954,7 +954,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -978,9 +978,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -991,9 +991,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1048,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1075,7 +1075,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1095,9 +1095,9 @@ jobs: GH_AW_COMMANDS: "[\"plan\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1134,7 +1134,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 7a75853c46c..0bdd90c33be 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -86,7 +86,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -112,7 +112,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -133,9 +133,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -143,18 +143,18 @@ jobs: GH_AW_WORKFLOW_FILE: "poem-bot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -165,9 +165,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Verses penned by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎭 Hear ye! The muse stirs! [{workflow_name}]({run_url}) takes quill in hand for this {event_type}...\",\"runSuccess\":\"🪶 The poem is writ! [{workflow_name}]({run_url}) has composed verses most fair. Applause! 👏\",\"runFailure\":\"🎭 Alas! [{workflow_name}]({run_url}) {status}. The muse has fled, leaving verses unsung...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -190,17 +190,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, create_discussion, create_agent_session, create_pull_request, close_pull_request, create_pull_request_review_comment, add_labels, push_to_pull_request_branch, upload_asset, link_sub_issue, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -234,9 +234,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -284,10 +284,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -366,7 +366,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -405,9 +405,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -429,15 +429,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3,"target":"*"},"add_labels":{"allowed":["poetry","creative","automation","ai-generated","epic","haiku","sonnet","limerick"],"max":5},"close_pull_request":{"max":2,"required_labels":["poetry","automation"],"required_title_prefix":"[🎨 POETRY]","target":"*"},"create_agent_session":{"max":1},"create_discussion":{"expires":24,"max":2},"create_issue":{"expires":48,"group":true,"max":2},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[🎨 POETRY] "},"create_pull_request_review_comment":{"max":2},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1},"update_issue":{"max":2},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 3 comment(s) can be added. Target: *.", @@ -456,7 +456,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -820,7 +820,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -845,8 +845,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -857,7 +857,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -890,7 +890,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -939,7 +939,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1042,15 +1042,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1060,7 +1060,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1089,18 +1089,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1192,9 +1192,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1244,9 +1244,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1308,7 +1308,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1332,9 +1332,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1347,9 +1347,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1374,9 +1374,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1391,9 +1391,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1405,9 +1405,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1424,9 +1424,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1450,7 +1450,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1459,9 +1459,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1470,9 +1470,9 @@ jobs: GH_AW_COMMANDS: "[\"poem-bot\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1523,7 +1523,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1579,9 +1579,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -1593,7 +1593,7 @@ jobs: with: github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); @@ -1616,7 +1616,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1661,7 +1661,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1719,8 +1719,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 6dd7672a907..953bb53298d 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "portfolio-analyst.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -131,12 +131,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -172,7 +172,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -217,10 +217,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -297,7 +297,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -397,9 +397,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -433,27 +433,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[portfolio] \". Discussions will be created in category \"audits\".", @@ -463,7 +463,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -559,7 +559,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -584,8 +584,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -596,7 +596,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -630,7 +630,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -698,7 +698,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -776,15 +776,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -794,7 +794,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -822,18 +822,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -923,9 +923,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -975,9 +975,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1038,7 +1038,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1063,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1102,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1120,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1158,7 +1158,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1184,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1215,7 +1215,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1260,7 +1260,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1316,8 +1316,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index b975b88b8c3..4a26217fe3f 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -104,7 +104,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -130,7 +130,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -151,9 +151,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -161,18 +161,18 @@ jobs: GH_AW_WORKFLOW_FILE: "pr-nitpick-reviewer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -183,9 +183,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Meticulously inspected by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 Adjusting monocle... [{workflow_name}]({run_url}) is scrutinizing every pixel of this {event_type}...\",\"runSuccess\":\"🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅\",\"runFailure\":\"🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -207,11 +207,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -245,9 +245,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -294,10 +294,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -375,7 +375,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -414,9 +414,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -438,15 +438,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_pull_request_review_comment":{"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[nitpick-report] \". Discussions will be created in category \"audits\".", @@ -457,7 +457,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -599,7 +599,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -624,8 +624,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -636,7 +636,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -666,7 +666,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -715,7 +715,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -790,15 +790,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -808,7 +808,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -837,18 +837,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -929,9 +929,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -981,9 +981,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1044,7 +1044,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1068,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1081,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1106,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1123,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1142,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1175,7 +1175,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1184,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1195,9 +1195,9 @@ jobs: GH_AW_COMMANDS: "[\"nit\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1234,7 +1234,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1260,9 +1260,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1291,7 +1291,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 9fd547d581a..bf38136804c 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -58,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +87,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "pr-triage-agent.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,11 +128,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -206,10 +206,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -288,7 +288,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -304,7 +304,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -327,9 +327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -351,15 +351,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":50},"add_labels":{"max":100},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 50 comment(s) can be added.", @@ -370,7 +370,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -501,7 +501,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -526,8 +526,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -538,7 +538,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -568,7 +568,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -618,7 +618,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -693,15 +693,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -711,7 +711,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -739,18 +739,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -834,9 +834,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -886,9 +886,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -949,7 +949,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -973,9 +973,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -986,9 +986,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1059,7 +1059,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1102,9 +1102,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1145,7 +1145,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1171,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 435144e6221..06cc8a7c1fb 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -69,7 +69,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,7 +95,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -113,9 +113,9 @@ jobs: GH_AW_WORKFLOW_FILE: "prompt-clustering-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -135,12 +135,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -174,7 +174,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -225,10 +225,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -304,7 +304,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -422,9 +422,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -461,27 +461,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[prompt-clustering] \". Discussions will be created in category \"audits\"." @@ -490,7 +490,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -577,7 +577,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -602,8 +602,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -614,7 +614,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -644,7 +644,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -710,7 +710,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -834,15 +834,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -852,7 +852,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -880,18 +880,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -970,9 +970,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1033,9 +1033,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1095,7 +1095,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1119,9 +1119,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1132,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1155,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1172,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1209,7 +1209,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1235,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1266,7 +1266,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index bbbaef2899d..2dd13a9f6ab 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +88,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "python-data-charts.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,12 +128,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -169,7 +169,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -215,10 +215,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -293,7 +293,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -385,9 +385,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -421,27 +421,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"artifacts\".", @@ -451,7 +451,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -547,7 +547,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -572,8 +572,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -584,7 +584,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -618,7 +618,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -686,7 +686,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -764,15 +764,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -782,7 +782,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -810,18 +810,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -911,9 +911,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -963,9 +963,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1026,7 +1026,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1050,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1063,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1087,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1104,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1141,7 +1141,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1167,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1198,7 +1198,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1243,7 +1243,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1298,8 +1298,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index c3dfa9689f8..f25fe24b29b 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -112,7 +112,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -138,7 +138,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -159,9 +159,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -169,18 +169,18 @@ jobs: GH_AW_WORKFLOW_FILE: "q.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -191,9 +191,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎩 *Equipped by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Pay attention, 007! [{workflow_name}]({run_url}) is preparing your gadgets for this {event_type}...\",\"runSuccess\":\"🎩 Mission equipment ready! [{workflow_name}]({run_url}) has optimized your workflow. Use wisely, 007! 🔫\",\"runFailure\":\"🔧 Technical difficulties! [{workflow_name}]({run_url}) {status}. Even Q Branch has bad days...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -216,17 +216,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -258,9 +258,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -311,10 +311,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -395,7 +395,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -464,9 +464,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -500,27 +500,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[q] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -530,7 +530,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -645,7 +645,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -670,8 +670,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -682,7 +682,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -713,7 +713,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -796,7 +796,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -871,15 +871,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -889,7 +889,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -918,18 +918,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1011,9 +1011,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1063,9 +1063,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1126,7 +1126,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1150,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1163,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1188,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1205,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1219,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1238,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1277,7 +1277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1286,9 +1286,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1297,9 +1297,9 @@ jobs: GH_AW_COMMANDS: "[\"q\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1342,7 +1342,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1397,9 +1397,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1428,7 +1428,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 0414ffb26e2..b7e7414c159 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -74,7 +74,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,7 +103,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -121,18 +121,18 @@ jobs: GH_AW_WORKFLOW_FILE: "refiner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -153,15 +153,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -193,7 +193,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -231,10 +231,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -336,9 +336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -360,15 +360,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"max":1,"reviewers":["copilot"],"title_prefix":"[refiner] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -378,7 +378,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -493,7 +493,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -518,8 +518,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -530,7 +530,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -560,7 +560,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -610,7 +610,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -685,15 +685,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -703,7 +703,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -731,18 +731,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -818,9 +818,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,9 +870,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -932,7 +932,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -956,9 +956,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -969,9 +969,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -994,9 +994,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1011,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1025,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1051,7 +1051,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1060,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1105,7 +1105,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index b83ba264d29..b7db0beb449 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -71,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +97,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -115,9 +115,9 @@ jobs: GH_AW_WORKFLOW_FILE: "release.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -137,10 +137,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_release, missing_tool, missing_data, noop @@ -174,7 +174,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -208,10 +208,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -287,7 +287,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -323,9 +323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -347,15 +347,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_release":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "update_release": " CONSTRAINTS: Maximum 1 release(s) can be updated." @@ -364,7 +364,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -450,7 +450,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -475,8 +475,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -487,7 +487,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -517,7 +517,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -566,7 +566,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -641,15 +641,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -659,7 +659,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -687,18 +687,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -773,9 +773,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -825,9 +825,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -884,7 +884,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -908,9 +908,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -921,9 +921,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -943,9 +943,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -960,9 +960,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); config: @@ -1091,7 +1091,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1100,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_tag: @@ -1340,7 +1340,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1366,9 +1366,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 01e4ee67188..bc577027fe3 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -66,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,7 +92,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repo-audit-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,11 +133,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -171,7 +171,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -211,10 +211,10 @@ jobs: GH_AW_INPUTS_REPOSITORY: ${{ inputs.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -330,9 +330,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -354,15 +354,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_missing_tool_issue":{"labels":["cookie"],"max":1,"title_prefix":"[missing tool]"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -371,7 +371,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -458,7 +458,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -483,8 +483,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -495,7 +495,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -525,7 +525,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -574,7 +574,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -649,15 +649,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -667,7 +667,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -695,18 +695,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -787,9 +787,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -839,9 +839,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -901,7 +901,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -925,9 +925,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -941,9 +941,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -965,9 +965,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -982,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1019,7 +1019,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1076,7 +1076,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (repo-audits) id: download_cache_repo_audits uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index e99aa3cf58b..c221c09f444 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repo-tree-map.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,10 +129,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -201,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -277,7 +277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -306,9 +306,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -330,15 +330,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"dev\"." @@ -347,7 +347,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -434,7 +434,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -459,8 +459,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -471,7 +471,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -501,7 +501,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -550,7 +550,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -625,15 +625,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -643,7 +643,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -671,18 +671,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -757,9 +757,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -809,9 +809,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,7 +870,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -894,9 +894,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -907,9 +907,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -931,9 +931,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -948,9 +948,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -985,7 +985,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1011,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 297267039da..fc0a4c59a1b 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repository-quality-improver.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -209,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -289,7 +289,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -329,9 +329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -353,15 +353,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -370,7 +370,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -457,7 +457,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -482,8 +482,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -494,7 +494,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -524,7 +524,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -588,7 +588,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -663,15 +663,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -681,7 +681,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -709,18 +709,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -801,9 +801,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -853,9 +853,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -915,7 +915,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -939,9 +939,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -952,9 +952,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -976,9 +976,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -993,9 +993,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1030,7 +1030,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1056,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1087,7 +1087,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (focus-areas) id: download_cache_focus_areas uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 8308256c687..d6b82d5b992 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -66,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,7 +92,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "research.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,10 +133,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -170,7 +170,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -212,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -287,7 +287,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -316,9 +316,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -340,15 +340,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"research\"." @@ -357,7 +357,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -444,7 +444,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -469,8 +469,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -481,7 +481,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -512,7 +512,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -581,7 +581,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -657,15 +657,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -676,7 +676,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -704,18 +704,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -790,9 +790,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -842,9 +842,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -903,7 +903,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -927,9 +927,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -940,9 +940,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -964,9 +964,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -981,9 +981,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1018,7 +1018,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 269b6f054d2..29aa21b993f 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "safe-output-health.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,12 +130,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -169,7 +169,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -211,10 +211,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -366,9 +366,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -405,27 +405,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -434,7 +434,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -521,7 +521,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -546,8 +546,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -558,7 +558,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -588,7 +588,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -654,7 +654,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -793,15 +793,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -811,7 +811,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -839,18 +839,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -929,9 +929,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -992,9 +992,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1054,7 +1054,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1078,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1114,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1131,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1168,7 +1168,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1194,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1225,7 +1225,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 09821088757..e5884ba844d 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "schema-consistency-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -205,10 +205,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -284,7 +284,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -323,9 +323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -350,15 +350,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Schema Consistency] \". Discussions will be created in category \"audits\"." @@ -367,7 +367,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -454,7 +454,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -479,8 +479,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -491,7 +491,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -520,7 +520,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -568,7 +568,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -692,15 +692,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -710,7 +710,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -738,18 +738,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -828,9 +828,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -891,9 +891,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -953,7 +953,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -977,9 +977,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -990,9 +990,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1067,7 +1067,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1093,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1124,7 +1124,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index ebe615b4bcc..8fe23d3c95b 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -131,7 +131,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -157,7 +157,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -178,9 +178,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -188,18 +188,18 @@ jobs: GH_AW_WORKFLOW_FILE: "scout.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -210,9 +210,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔭 *Intelligence gathered by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏕️ Scout on patrol! [{workflow_name}]({run_url}) is blazing trails through this {event_type}...\",\"runSuccess\":\"🔭 Recon complete! [{workflow_name}]({run_url}) has charted the territory. Map ready! 🗺️\",\"runFailure\":\"🏕️ Lost in the wilderness! [{workflow_name}]({run_url}) {status}. Sending search party...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -237,11 +237,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, add_labels, missing_tool, missing_data, noop @@ -275,9 +275,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -347,10 +347,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -430,7 +430,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -472,9 +472,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -489,15 +489,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"add_labels":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -507,7 +507,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -605,7 +605,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -630,8 +630,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -642,7 +642,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -670,7 +670,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "arxiv": { @@ -795,7 +795,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -942,15 +942,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -961,7 +961,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -990,18 +990,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1080,9 +1080,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1143,9 +1143,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1206,7 +1206,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1230,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1243,9 +1243,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1265,9 +1265,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1282,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1301,9 +1301,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1339,7 +1339,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1348,9 +1348,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1359,9 +1359,9 @@ jobs: GH_AW_COMMANDS: "[\"scout\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1400,7 +1400,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1426,9 +1426,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1457,7 +1457,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index b72cebcc29d..e111d90d757 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "security-alert-burndown.campaign.g.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_project, create_project_status_update, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -201,10 +201,10 @@ jobs: GH_AW_MEMORY_LIST: "- **campaigns**: `/tmp/gh-aw/repo-memory/campaigns/` (branch: `memory/campaigns`)\n" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -280,7 +280,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -314,7 +314,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -337,9 +337,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -364,15 +364,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3},"create_issue":{"max":1},"create_project_status_update":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/campaigns","id":"campaigns","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]},"update_project":{"max":10}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 3 comment(s) can be added.", @@ -384,7 +384,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -578,7 +578,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -603,8 +603,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -615,7 +615,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -644,7 +644,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -692,7 +692,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -812,15 +812,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -830,7 +830,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -858,18 +858,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -951,9 +951,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1014,9 +1014,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1077,7 +1077,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1101,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1114,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1185,7 +1185,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1228,9 +1228,9 @@ jobs: FILE_GLOB_FILTER: "security-alert-burndown/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1270,7 +1270,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1299,9 +1299,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index e87c65eed87..60ce4c39289 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -71,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +97,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -115,18 +115,18 @@ jobs: GH_AW_WORKFLOW_FILE: "security-compliance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -150,11 +150,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -188,7 +188,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -233,10 +233,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -315,7 +315,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -331,7 +331,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -354,9 +354,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -378,15 +378,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"group":true,"max":100},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 100 issue(s) can be created. Labels [\"security\" \"campaign-tracker\" \"cookie\"] will be automatically added." @@ -395,7 +395,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -489,7 +489,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -514,8 +514,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -526,7 +526,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -556,7 +556,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -605,7 +605,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -680,15 +680,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -698,7 +698,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -726,18 +726,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -821,9 +821,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -873,9 +873,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -934,7 +934,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -958,9 +958,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -971,9 +971,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -997,9 +997,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1014,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1043,7 +1043,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1086,9 +1086,9 @@ jobs: FILE_GLOB_FILTER: "memory/campaigns/security-compliance-*/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1124,7 +1124,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1150,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 4654765e248..c056cbcff0e 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -76,7 +76,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,7 +102,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -123,9 +123,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -133,18 +133,18 @@ jobs: GH_AW_WORKFLOW_FILE: "security-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -155,9 +155,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔒 *Security review by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) is analyzing this {event_type} for security implications...\",\"runSuccess\":\"🔒 [{workflow_name}]({run_url}) completed the security review.\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status} during security review.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -179,12 +179,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -218,9 +218,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -263,10 +263,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -347,7 +347,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -416,9 +416,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -452,27 +452,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request_review_comment":{"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request_review_comment": " CONSTRAINTS: Maximum 10 review comment(s) can be created. Comments will be on the RIGHT side of the diff.", @@ -482,7 +482,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request_review_comment": { "defaultMax": 1, @@ -598,7 +598,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -623,8 +623,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -635,7 +635,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -666,7 +666,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -734,7 +734,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -809,15 +809,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -827,7 +827,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -856,18 +856,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -948,9 +948,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1000,9 +1000,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1061,7 +1061,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1085,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1098,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1121,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1138,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1157,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1184,7 +1184,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1193,9 +1193,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1204,9 +1204,9 @@ jobs: GH_AW_COMMANDS: "[\"security-review\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1241,7 +1241,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1267,9 +1267,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1298,7 +1298,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 2137961740c..29a24b6dcfd 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "semantic-function-refactor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,10 +130,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -207,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -282,7 +282,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -311,9 +311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -338,15 +338,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_issue":{"max":10,"required_title_prefix":"[refactor] ","target":"*"},"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "close_issue": " CONSTRAINTS: Maximum 10 issue(s) can be closed. Target: *. Only issues with title prefix \"[refactor] \" can be closed.", @@ -356,7 +356,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_issue": { "defaultMax": 1, @@ -468,7 +468,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -493,8 +493,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -505,7 +505,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -534,7 +534,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -605,7 +605,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -744,15 +744,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -762,7 +762,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -790,18 +790,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -874,9 +874,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -937,9 +937,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -997,7 +997,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1021,9 +1021,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1034,9 +1034,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1055,9 +1055,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1072,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1110,7 +1110,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1136,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 864aca6bf83..c9029d2119d 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "sergo.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,11 +130,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -211,10 +211,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -329,9 +329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -356,15 +356,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[sergo] \". Discussions will be created in category \"audits\"." @@ -373,7 +373,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -460,7 +460,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -485,8 +485,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -497,7 +497,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -526,7 +526,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -597,7 +597,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -738,15 +738,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -756,7 +756,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -784,18 +784,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -874,9 +874,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -937,9 +937,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -999,7 +999,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1024,9 +1024,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1038,9 +1038,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1062,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1080,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1118,7 +1118,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1144,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1175,7 +1175,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index fa5ba42f329..12da5556011 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -70,7 +70,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +96,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -114,9 +114,9 @@ jobs: GH_AW_WORKFLOW_FILE: "slide-deck-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -138,17 +138,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -180,7 +180,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -226,10 +226,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -308,7 +308,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -358,9 +358,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -382,15 +382,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"title_prefix":"[slides] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[slides] \"." @@ -399,7 +399,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -496,7 +496,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -521,8 +521,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -533,7 +533,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -564,7 +564,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -627,7 +627,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -742,15 +742,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -760,7 +760,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -788,18 +788,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -881,9 +881,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -933,9 +933,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -995,7 +995,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1020,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1034,9 +1034,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1092,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1115,7 +1115,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1124,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1147,9 +1147,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1189,7 +1189,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1244,9 +1244,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1275,7 +1275,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 741c3a9b338..e3cf3844cab 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -73,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -118,18 +118,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-all-merged.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -140,9 +140,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=merged`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -162,10 +162,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -199,7 +199,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -233,10 +233,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -336,9 +336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -353,15 +353,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added." @@ -370,7 +370,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -449,7 +449,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -474,8 +474,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -486,7 +486,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -543,7 +543,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -591,7 +591,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -636,15 +636,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -655,7 +655,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -683,18 +683,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -769,9 +769,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -808,9 +808,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,7 +870,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -894,9 +894,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -907,9 +907,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -929,9 +929,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -946,9 +946,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -965,9 +965,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -991,7 +991,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1000,9 +1000,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1041,7 +1041,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1067,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 87c26f033f5..a327e1e9697 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -73,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -118,18 +118,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-all-none.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -140,9 +140,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=none`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -162,10 +162,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -199,7 +199,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -233,10 +233,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -336,9 +336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -353,15 +353,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added." @@ -370,7 +370,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -449,7 +449,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -474,8 +474,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -486,7 +486,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -543,7 +543,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -591,7 +591,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -636,15 +636,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -655,7 +655,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -683,18 +683,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -769,9 +769,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -808,9 +808,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,7 +870,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -894,9 +894,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -907,9 +907,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -929,9 +929,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -946,9 +946,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -965,9 +965,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -991,7 +991,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1000,9 +1000,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1041,7 +1041,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1067,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 760379b468e..34eb865f944 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -73,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -118,18 +118,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-public-approved.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -140,9 +140,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🤖 [{workflow_name}]({run_url}) is looking for a Smoke issue to assign...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed. Issue assigned to the agentic-workflows agent.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -162,10 +162,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_agent, missing_tool, missing_data, noop @@ -199,7 +199,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -233,10 +233,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -336,9 +336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -353,15 +353,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"assign_to_agent":{"allowed":["copilot"],"max":1,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -371,7 +371,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -475,7 +475,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -500,8 +500,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -512,7 +512,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -569,7 +569,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -617,7 +617,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -662,15 +662,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -681,7 +681,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -709,18 +709,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -795,9 +795,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -834,9 +834,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -896,7 +896,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -920,9 +920,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -933,9 +933,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -957,9 +957,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -974,9 +974,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -993,9 +993,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1019,7 +1019,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1028,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1072,7 +1072,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1098,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1115,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 8a696d0ecae..f3af3cdcf08 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -73,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -118,18 +118,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-public-none.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -140,9 +140,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=public, min-integrity=none`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -162,10 +162,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -199,7 +199,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -233,10 +233,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -336,9 +336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -353,15 +353,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added." @@ -370,7 +370,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -449,7 +449,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -474,8 +474,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -486,7 +486,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -543,7 +543,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -591,7 +591,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -636,15 +636,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -655,7 +655,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -683,18 +683,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -769,9 +769,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -808,9 +808,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,7 +870,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -894,9 +894,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -907,9 +907,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -929,9 +929,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -946,9 +946,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -965,9 +965,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -991,7 +991,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1000,9 +1000,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1041,7 +1041,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1067,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index dfc4ad14f26..e9f85264164 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -73,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -118,18 +118,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-scoped-approved.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -140,9 +140,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=[github/gh-aw, github/*], min-integrity=approved`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -162,10 +162,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -199,7 +199,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -233,10 +233,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -336,9 +336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -353,15 +353,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added." @@ -370,7 +370,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -449,7 +449,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -474,8 +474,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -486,7 +486,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -543,7 +543,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -595,7 +595,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -640,15 +640,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -659,7 +659,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -687,18 +687,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -773,9 +773,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -812,9 +812,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -874,7 +874,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -898,9 +898,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -911,9 +911,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -933,9 +933,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -950,9 +950,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -969,9 +969,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -995,7 +995,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1004,9 +1004,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1045,7 +1045,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1071,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 71be60377bb..af611bdc2ec 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -69,7 +69,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,7 +95,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -114,18 +114,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-call-workflow.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -145,10 +145,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: call_workflow, missing_tool, missing_data, noop @@ -182,7 +182,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -215,10 +215,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -288,7 +288,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -317,9 +317,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -344,15 +344,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"call_workflow":{"max":1,"workflow_files":{"smoke-workflow-call":"./.github/workflows/smoke-workflow-call.lock.yml"},"workflows":["smoke-workflow-call"]},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": {}, "repo_params": {}, @@ -380,7 +380,7 @@ jobs: ] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -441,7 +441,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -466,8 +466,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -478,7 +478,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -537,7 +537,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -585,7 +585,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -630,15 +630,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -649,7 +649,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -677,18 +677,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -763,9 +763,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -802,9 +802,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -874,7 +874,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -898,9 +898,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -911,9 +911,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -932,9 +932,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -949,9 +949,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -975,7 +975,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -984,9 +984,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1020,7 +1020,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1046,9 +1046,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 4abde10c8ff..a2c9ecedab5 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -89,7 +89,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -116,7 +116,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -137,9 +137,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -147,18 +147,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-claude.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -169,9 +169,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 💥 *[THE END] — Illustrated by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"💥 **WHOOSH!** [{workflow_name}]({run_url}) springs into action on this {event_type}! *[Panel 1 begins...]*\",\"runSuccess\":\"🎬 **THE END** — [{workflow_name}]({run_url}) **MISSION: ACCOMPLISHED!** The hero saves the day! ✨\",\"runFailure\":\"💫 **TO BE CONTINUED...** [{workflow_name}]({run_url}) {status}! Our hero faces unexpected challenges...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -192,18 +192,18 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, close_pull_request, update_pull_request, create_pull_request_review_comment, submit_pull_request_review, resolve_pull_request_review_thread, add_labels, add_reviewer, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -235,7 +235,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -609,10 +609,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -709,7 +709,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -785,9 +785,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -834,27 +834,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-claude"],"max":3},"add_reviewer":{"max":2},"close_pull_request":{"max":1,"staged":true},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1,"target":"*"},"resolve_pull_request_review_thread":{"max":5},"submit_pull_request_review":{"max":1},"update_pull_request":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -871,7 +871,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1157,7 +1157,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -1182,8 +1182,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1194,16 +1194,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1352,7 +1352,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1361,17 +1361,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1383,8 +1383,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1520,8 +1520,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1601,8 +1601,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1688,8 +1688,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1701,8 +1701,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1713,7 +1713,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1748,7 +1748,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1785,7 +1785,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1929,7 +1929,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -2080,15 +2080,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -2099,7 +2099,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -2127,27 +2127,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -2228,9 +2228,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2291,9 +2291,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2354,7 +2354,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2378,9 +2378,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2391,9 +2391,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2415,9 +2415,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2432,9 +2432,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2451,9 +2451,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -2477,7 +2477,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2486,9 +2486,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2534,7 +2534,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2589,9 +2589,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2620,7 +2620,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 4f9f7c288b9..f4b754abd9a 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -80,7 +80,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -106,7 +106,7 @@ jobs: await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -128,9 +128,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -138,18 +138,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-codex.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -160,9 +160,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔮 *The oracle has spoken through [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔮 The ancient spirits stir... [{workflow_name}]({run_url}) awakens to divine this {event_type}...\",\"runSuccess\":\"✨ The prophecy is fulfilled... [{workflow_name}]({run_url}) has completed its mystical journey. The stars align. 🌟\",\"runFailure\":\"🌑 The shadows whisper... [{workflow_name}]({run_url}) {status}. The oracle requires further meditation...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -182,12 +182,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, remove_labels, unassign_from_user, hide_comment, missing_tool, missing_data, noop @@ -224,7 +224,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -269,10 +269,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -346,7 +346,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -393,9 +393,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -420,15 +420,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/fetch mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-codex"],"max":3},"create_issue":{"expires":2,"max":1},"hide_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"unassign_from_user":{"allowed":["githubactionagent"],"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -440,7 +440,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -637,7 +637,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -662,8 +662,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -674,16 +674,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -710,7 +710,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -719,17 +719,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -741,7 +741,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -775,7 +775,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -899,7 +899,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1018,7 +1018,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -1065,15 +1065,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -1084,7 +1084,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1112,27 +1112,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1214,9 +1214,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1253,9 +1253,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1316,7 +1316,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1340,9 +1340,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1353,9 +1353,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1375,9 +1375,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1392,9 +1392,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1411,9 +1411,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1437,7 +1437,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1446,9 +1446,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1489,7 +1489,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1515,9 +1515,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1546,7 +1546,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 5668e1d8100..6775cdf88bb 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -79,7 +79,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -105,7 +105,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -126,9 +126,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -136,18 +136,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-copilot-arm.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -158,9 +158,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -181,13 +181,13 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, create_pull_request_review_comment, submit_pull_request_review, add_labels, remove_labels, dispatch_workflow, missing_tool, missing_data, noop @@ -221,7 +221,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -271,10 +271,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -352,7 +352,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -428,9 +428,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -464,27 +464,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"allowed_repos":["github/gh-aw"],"max":2},"add_labels":{"allowed":["smoke-copilot-arm"],"allowed_repos":["github/gh-aw"],"max":3},"create_discussion":{"expires":2,"max":1},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"default":null,"description":"The message to send","required":true,"type":"string"}},"output":"Slack message stub executed!"},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -544,7 +544,7 @@ jobs: ] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -775,7 +775,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -800,8 +800,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -812,16 +812,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -934,7 +934,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -943,17 +943,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -965,8 +965,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1102,8 +1102,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1183,8 +1183,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1270,7 +1270,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1305,7 +1305,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1342,7 +1342,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1453,7 +1453,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1531,15 +1531,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1549,7 +1549,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1577,27 +1577,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1679,9 +1679,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1731,9 +1731,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1796,7 +1796,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1820,9 +1820,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1833,9 +1833,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1858,9 +1858,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1875,9 +1875,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1895,9 +1895,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1921,7 +1921,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1930,9 +1930,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1974,7 +1974,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2001,9 +2001,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2066,7 +2066,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index e8f8739ba7d..a30d327f61c 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -81,7 +81,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -107,7 +107,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -128,9 +128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -138,9 +138,9 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-copilot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -152,9 +152,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Remove trigger label id: remove_trigger_label @@ -164,9 +164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/remove_trigger_label.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/remove_trigger_label.cjs'); await main(); - name: Create prompt with built-in context env: @@ -187,13 +187,13 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, create_pull_request_review_comment, submit_pull_request_review, reply_to_pull_request_review_comment, add_labels, remove_labels, set_issue_type, dispatch_workflow, missing_tool, missing_data, noop @@ -227,7 +227,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -277,10 +277,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -358,7 +358,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -434,9 +434,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -470,27 +470,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"allowed_repos":["github/gh-aw"],"max":2},"add_labels":{"allowed":["smoke-copilot"],"allowed_repos":["github/gh-aw"],"max":3},"create_discussion":{"expires":2,"max":1},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"reply_to_pull_request_review_comment":{"max":5},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"default":null,"description":"The message to send","required":true,"type":"string"}},"output":"Slack message stub executed!"},"set_issue_type":{"max":5},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -551,7 +551,7 @@ jobs: ] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -822,7 +822,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -847,8 +847,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -859,16 +859,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -981,7 +981,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -990,17 +990,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1012,8 +1012,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1149,8 +1149,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1230,8 +1230,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1317,7 +1317,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1352,7 +1352,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1389,7 +1389,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1500,7 +1500,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1578,15 +1578,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1596,7 +1596,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1624,27 +1624,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1726,9 +1726,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1778,9 +1778,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1843,7 +1843,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1867,9 +1867,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1880,9 +1880,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1905,9 +1905,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1922,9 +1922,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1942,9 +1942,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1967,7 +1967,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1976,9 +1976,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2020,7 +2020,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2047,9 +2047,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2112,7 +2112,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index f0db4898627..0fa80d028d2 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -74,7 +74,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -113,18 +113,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-create-cross-repo-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -135,9 +135,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -158,15 +158,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -201,7 +201,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -238,10 +238,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -315,7 +315,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -350,9 +350,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -374,15 +374,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"max":1},"create_pull_request":{"draft":true,"expires":24,"fallback_as_issue":false,"max":1,"target-repo":"githubnext/gh-aw-side-repo","title_prefix":"[smoke] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -393,7 +393,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -541,7 +541,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -566,8 +566,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -578,7 +578,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -608,7 +608,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -657,7 +657,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -733,15 +733,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_SIDE_REPO_PAT,GITHUB_TOKEN' @@ -751,7 +751,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -779,18 +779,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -866,9 +866,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -919,9 +919,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -981,7 +981,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1005,9 +1005,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1018,9 +1018,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1073,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1092,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1118,7 +1118,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1174,7 +1174,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1232,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index a84fb5484b4..e08eb79eb7f 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -80,7 +80,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -106,7 +106,7 @@ jobs: await main(core, context); - name: Validate GEMINI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh GEMINI_API_KEY 'Gemini CLI' https://geminicli.com/docs/get-started/authentication/ + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh GEMINI_API_KEY 'Gemini CLI' https://geminicli.com/docs/get-started/authentication/ env: GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} - name: Checkout .github and .agents folders @@ -127,9 +127,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -137,18 +137,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-gemini.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -159,9 +159,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ✨ *[{workflow_name}]({run_url}) — Powered by Gemini*{history_link}\",\"runStarted\":\"✨ Gemini awakens... [{workflow_name}]({run_url}) begins its journey on this {event_type}...\",\"runSuccess\":\"🚀 [{workflow_name}]({run_url}) **MISSION COMPLETE!** Gemini has spoken. ✨\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status}. Gemini encountered unexpected challenges...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -181,11 +181,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -219,7 +219,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -263,10 +263,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -340,7 +340,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -379,9 +379,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -406,15 +406,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/fetch node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-gemini"],"max":3},"create_issue":{"expires":2,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -425,7 +425,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -556,7 +556,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -581,8 +581,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -593,16 +593,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -629,7 +629,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -638,17 +638,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -660,7 +660,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -694,7 +694,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -727,7 +727,7 @@ jobs: export GH_AW_ENGINE="gemini" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -799,7 +799,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Write Gemini settings run: | mkdir -p "$GITHUB_WORKSPACE/.gemini" @@ -858,15 +858,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GEMINI_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -876,7 +876,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -904,27 +904,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_gemini_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_gemini_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Upload cache-memory data as artifact uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -990,9 +990,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1040,9 +1040,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1103,7 +1103,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1140,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1162,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1179,9 +1179,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1224,7 +1224,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1233,9 +1233,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1276,7 +1276,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1302,9 +1302,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1333,7 +1333,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 036acc7ffc1..42ad6a31069 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -75,7 +75,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,7 +101,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -122,9 +122,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -132,18 +132,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-multi-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -154,9 +154,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Multi PR smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing multiple PR creation...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created multiple PRs.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create multiple PRs. Check the logs.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -176,15 +176,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -216,7 +216,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -250,10 +250,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -324,7 +324,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -353,9 +353,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -377,15 +377,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":2,"max":2,"title_prefix":"[smoke-multi-pr] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -395,7 +395,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -510,7 +510,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -535,8 +535,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -547,7 +547,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -577,7 +577,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -626,7 +626,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -726,15 +726,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -744,7 +744,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -772,18 +772,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -859,9 +859,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -911,9 +911,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -973,7 +973,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -997,9 +997,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1010,9 +1010,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1066,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1085,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1111,7 +1111,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1120,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1165,7 +1165,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1220,9 +1220,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index a8baa50b984..f5a3d36216d 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -73,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -120,9 +120,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -130,18 +130,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-project.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -152,9 +152,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Project smoke test report by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing project operations...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. All project operations validated.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -174,15 +174,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_pull_request, add_labels, remove_labels, update_project, create_project_status_update, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -214,7 +214,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -247,10 +247,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -323,7 +323,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -352,9 +352,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -376,15 +376,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-project"],"max":3},"create_issue":{"expires":2,"group":true,"max":1},"create_project_status_update":{"max":1},"create_pull_request":{"expires":2,"max":1,"title_prefix":"[smoke-project] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke-project"],"max":3},"update_project":{"max":20}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -399,7 +399,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -667,7 +667,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -692,8 +692,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -704,7 +704,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -734,7 +734,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -783,7 +783,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -858,15 +858,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -876,7 +876,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -904,18 +904,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -991,9 +991,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1043,9 +1043,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1105,7 +1105,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1129,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1142,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1167,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1184,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1217,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1243,7 +1243,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1252,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1299,7 +1299,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1357,9 +1357,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 09e192b9161..4e8a770b828 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -73,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,7 +99,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -120,9 +120,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -130,18 +130,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-temporary-id.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -152,9 +152,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Temporary ID smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing temporary ID functionality...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. Temporary ID validation passed.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -174,10 +174,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, link_sub_issue, missing_tool, missing_data, noop @@ -211,7 +211,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -244,10 +244,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -319,7 +319,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -348,9 +348,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -372,15 +372,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"group":true,"max":5},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -391,7 +391,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -521,7 +521,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -546,8 +546,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -558,7 +558,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -588,7 +588,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -637,7 +637,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -712,15 +712,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -730,7 +730,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -758,18 +758,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -844,9 +844,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -896,9 +896,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -958,7 +958,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -982,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -995,9 +995,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1018,9 +1018,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1054,9 +1054,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1080,7 +1080,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1089,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1132,7 +1132,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1158,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 1974101bed6..e476b682e86 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -75,7 +75,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,7 +101,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -119,18 +119,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-test-tools.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -141,9 +141,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔧 *Tool validation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Starting tool validation... [{workflow_name}]({run_url}) is checking the agent container tools...\",\"runSuccess\":\"✅ All tools validated successfully! [{workflow_name}]({run_url}) confirms agent container is ready.\",\"runFailure\":\"❌ Tool validation failed! [{workflow_name}]({run_url}) detected missing tools: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -163,10 +163,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -200,7 +200,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -233,10 +233,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -308,7 +308,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -362,9 +362,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -386,15 +386,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added." @@ -403,7 +403,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -482,7 +482,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -507,8 +507,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -519,7 +519,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -549,7 +549,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -598,7 +598,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -673,15 +673,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -691,7 +691,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -719,18 +719,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -805,9 +805,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -857,9 +857,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -919,7 +919,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -943,9 +943,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -956,9 +956,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -979,9 +979,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -996,9 +996,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1041,7 +1041,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1050,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1091,7 +1091,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1117,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 30dddc8af03..aef14c0d35e 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -74,7 +74,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -113,18 +113,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-update-cross-repo-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -135,9 +135,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -158,16 +158,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -202,7 +202,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -242,10 +242,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -322,7 +322,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -374,9 +374,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -398,15 +398,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1,"target":"1"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -417,7 +417,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -549,7 +549,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -574,8 +574,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -586,7 +586,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -616,7 +616,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -665,7 +665,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -741,15 +741,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_SIDE_REPO_PAT,GITHUB_TOKEN' @@ -759,7 +759,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -787,18 +787,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -880,9 +880,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -933,9 +933,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -996,7 +996,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1020,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1033,9 +1033,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1057,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1074,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1093,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1119,7 +1119,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1128,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1175,7 +1175,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1232,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1263,7 +1263,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index abd15b0d1c9..2d4561395ec 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -82,15 +82,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Resolve host repo for activation checkout id: resolve-host-repo uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/resolve_host_repo.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/resolve_host_repo.cjs'); await main(); - name: Compute artifact prefix id: artifact-prefix @@ -123,7 +123,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Cross-repo setup guidance @@ -149,9 +149,9 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-workflow-call-with-inputs.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -172,15 +172,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_auto_create_issue.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_auto_create_issue.md" cat << 'GH_AW_PROMPT_EOF' @@ -212,7 +212,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -247,10 +247,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -324,7 +324,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -353,9 +353,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -377,15 +377,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[smoke-workflow-call-with-inputs]\". Labels [\"smoke-workflow-call-with-inputs\"] will be automatically added." @@ -394,7 +394,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -488,7 +488,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -513,8 +513,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -525,7 +525,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -555,7 +555,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -604,7 +604,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -695,15 +695,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -713,7 +713,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -741,18 +741,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -827,9 +827,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -879,9 +879,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -939,7 +939,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -963,9 +963,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -976,9 +976,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -998,9 +998,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1038,7 +1038,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1047,9 +1047,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1087,7 +1087,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1113,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 7201670afc4..eb71362efaf 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -85,15 +85,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Resolve host repo for activation checkout id: resolve-host-repo uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/resolve_host_repo.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/resolve_host_repo.cjs'); await main(); - name: Compute artifact prefix id: artifact-prefix @@ -126,7 +126,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Cross-repo setup guidance @@ -152,9 +152,9 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-workflow-call.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -175,10 +175,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -212,7 +212,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -247,10 +247,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -323,7 +323,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -352,9 +352,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -376,15 +376,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added." @@ -393,7 +393,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -472,7 +472,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -497,8 +497,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -509,7 +509,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -539,7 +539,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -588,7 +588,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -683,15 +683,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -701,7 +701,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -729,18 +729,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -815,9 +815,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -867,9 +867,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -929,7 +929,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -953,9 +953,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -966,9 +966,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -989,9 +989,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1006,9 +1006,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1029,7 +1029,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1038,9 +1038,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1081,7 +1081,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1107,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 30e60f34d8c..693f8b4357d 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -74,7 +74,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,7 +103,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -121,9 +121,9 @@ jobs: GH_AW_WORKFLOW_FILE: "stale-repo-identifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -144,11 +144,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, upload_asset, missing_tool, missing_data, noop @@ -184,7 +184,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -235,10 +235,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -316,7 +316,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -414,9 +414,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -438,15 +438,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[Stale Repository] \". Labels [\"stale-repository\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -456,7 +456,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -559,7 +559,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -584,8 +584,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -596,7 +596,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -629,7 +629,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -679,7 +679,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -757,15 +757,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -775,7 +775,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -803,18 +803,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -904,9 +904,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -956,9 +956,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1018,7 +1018,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1055,9 +1055,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1078,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1095,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1134,7 +1134,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1191,7 +1191,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1236,7 +1236,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1292,8 +1292,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 13f75e87d41..f3872ce1dab 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "static-analysis-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,12 +129,12 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -207,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -286,7 +286,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -362,9 +362,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -401,27 +401,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"security\"." @@ -430,7 +430,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -517,7 +517,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -542,8 +542,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -554,7 +554,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -584,7 +584,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -650,7 +650,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -775,15 +775,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -793,7 +793,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -821,18 +821,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -911,9 +911,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -974,9 +974,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1036,7 +1036,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1060,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1073,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1096,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1113,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1150,7 +1150,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1176,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1207,7 +1207,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index a7e05c5650c..8310e39e6bc 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -59,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +85,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -103,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "step-name-alignment.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,11 +125,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -163,7 +163,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -198,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -276,7 +276,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -315,9 +315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -342,15 +342,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[step-names] \". Labels [\"maintenance\" \"step-naming\" \"cookie\"] will be automatically added." @@ -359,7 +359,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -453,7 +453,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -478,8 +478,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -490,7 +490,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -519,7 +519,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -567,7 +567,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -707,15 +707,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -725,7 +725,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -753,18 +753,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -843,9 +843,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -906,9 +906,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -967,7 +967,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -991,9 +991,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1004,9 +1004,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1025,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1080,7 +1080,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1106,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1137,7 +1137,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 8e5feda756a..d37d4ab37a0 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -59,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +85,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "sub-issue-closer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,10 +125,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, update_issue, missing_tool, missing_data, noop @@ -162,7 +162,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -195,10 +195,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -270,7 +270,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -299,9 +299,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -323,15 +323,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":20,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":20}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 20 comment(s) can be added. Target: *.", @@ -341,7 +341,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -474,7 +474,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -499,8 +499,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -511,7 +511,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -541,7 +541,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -590,7 +590,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -665,15 +665,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -683,7 +683,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -711,18 +711,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -797,9 +797,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -849,9 +849,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -911,7 +911,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -935,9 +935,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -948,9 +948,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -970,9 +970,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -987,9 +987,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1027,7 +1027,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1053,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 502f9240695..a7a858da040 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -62,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +88,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "super-linter.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -210,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -293,7 +293,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -338,9 +338,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -362,15 +362,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[linter] \". Labels [\"automation\" \"code-quality\" \"cookie\"] will be automatically added." @@ -379,7 +379,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -473,7 +473,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -498,8 +498,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -510,7 +510,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -540,7 +540,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -589,7 +589,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -664,15 +664,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -682,7 +682,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -710,18 +710,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -802,9 +802,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -854,9 +854,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -915,7 +915,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -939,9 +939,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -952,9 +952,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -974,9 +974,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -991,9 +991,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1029,7 +1029,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1055,9 +1055,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1132,7 +1132,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index b2af332b784..bb1dbdbfcd9 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -67,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +93,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -111,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "technical-doc-writer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,17 +134,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -178,7 +178,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -230,10 +230,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -315,7 +315,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -379,7 +379,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -402,9 +402,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -426,15 +426,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -445,7 +445,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -569,7 +569,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -594,8 +594,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -606,16 +606,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -643,7 +643,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -652,17 +652,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -674,7 +674,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -706,7 +706,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -741,7 +741,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -804,7 +804,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -882,15 +882,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -900,7 +900,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -928,27 +928,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1049,9 +1049,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1101,9 +1101,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1166,7 +1166,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1190,9 +1190,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1203,9 +1203,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1232,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1249,9 +1249,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1263,9 +1263,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1292,7 +1292,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1335,9 +1335,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1380,7 +1380,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1435,9 +1435,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1466,7 +1466,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1511,7 +1511,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1567,8 +1567,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 81951d92cdc..0f3f0360f15 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "terminal-stylist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,10 +130,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -207,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -281,7 +281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -310,9 +310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -334,15 +334,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -351,7 +351,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -438,7 +438,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -463,8 +463,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -475,7 +475,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -505,7 +505,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -569,7 +569,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -644,15 +644,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -662,7 +662,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -690,18 +690,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -776,9 +776,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -828,9 +828,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -889,7 +889,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -913,9 +913,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -926,9 +926,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -950,9 +950,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -967,9 +967,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1004,7 +1004,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index bc3fceede17..dc9790938af 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -56,7 +56,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,7 +82,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -100,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-create-pr-error-handling.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,16 +122,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -163,7 +163,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -198,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -274,7 +274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -313,9 +313,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -340,15 +340,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Labels [\"test\"] will be automatically added." @@ -357,7 +357,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -454,7 +454,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -479,8 +479,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -491,7 +491,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -520,7 +520,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -568,7 +568,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -692,15 +692,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -710,7 +710,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -738,18 +738,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -829,9 +829,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -892,9 +892,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -954,7 +954,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -978,9 +978,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -991,9 +991,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1014,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1031,9 +1031,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1086,7 +1086,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1141,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1172,7 +1172,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 972b2505cf4..57799502d91 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -55,7 +55,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,7 +81,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -99,9 +99,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-dispatcher.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,10 +121,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: dispatch_workflow, missing_tool, missing_data, noop @@ -158,7 +158,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -190,10 +190,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -263,7 +263,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -292,9 +292,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -316,15 +316,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"dispatch_workflow":{"max":1,"workflow_files":{"test-workflow":".lock.yml"},"workflows":["test-workflow"]},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": {}, "repo_params": {}, @@ -350,7 +350,7 @@ jobs: ] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -411,7 +411,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -436,8 +436,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -448,7 +448,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -478,7 +478,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -527,7 +527,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -602,15 +602,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -620,7 +620,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -648,18 +648,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -734,9 +734,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -786,9 +786,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -845,7 +845,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -869,9 +869,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -882,9 +882,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -904,9 +904,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -921,9 +921,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -956,7 +956,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -982,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 216f34c03a4..ff8c99f6e7b 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -55,7 +55,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,7 +81,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -99,9 +99,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-project-url-default.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,10 +121,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_project, create_project_status_update, missing_tool, missing_data, noop @@ -158,7 +158,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -190,10 +190,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -262,7 +262,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -291,9 +291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -315,15 +315,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_project_status_update":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_project":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_project_status_update": " CONSTRAINTS: Maximum 1 status update(s) can be created. Default project URL: \"https://github.com/orgs/\u003cORG\u003e/projects/\u003cNUMBER\u003e\".", @@ -333,7 +333,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_project_status_update": { "defaultMax": 10, @@ -476,7 +476,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -501,8 +501,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -513,7 +513,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -543,7 +543,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -592,7 +592,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -667,15 +667,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -685,7 +685,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -713,18 +713,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -799,9 +799,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -851,9 +851,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -910,7 +910,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -934,9 +934,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -947,9 +947,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -969,9 +969,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -986,9 +986,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1021,7 +1021,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1050,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 0b21ef5287c..5df53edef15 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -60,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +86,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-workflow.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,9 +125,9 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -158,7 +158,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -190,10 +190,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -249,7 +249,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -278,9 +278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -325,7 +325,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -360,7 +360,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -434,15 +434,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -452,7 +452,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -460,18 +460,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 8c276d65a8c..13f684fb3e5 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -84,7 +84,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -110,7 +110,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -131,9 +131,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -141,18 +141,18 @@ jobs: GH_AW_WORKFLOW_FILE: "tidy.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -162,9 +162,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Tidy" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -185,16 +185,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -226,9 +226,9 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -264,10 +264,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -341,7 +341,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -384,9 +384,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -408,15 +408,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[tidy] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[tidy] \". Labels [\"automation\" \"maintenance\"] will be automatically added. Reviewers [\"copilot\"] will be assigned." @@ -425,7 +425,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -542,7 +542,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -567,8 +567,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -579,7 +579,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -609,7 +609,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -658,7 +658,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -758,15 +758,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -776,7 +776,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -805,18 +805,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -892,9 +892,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -944,9 +944,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1005,7 +1005,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1029,9 +1029,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1068,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1085,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1099,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1117,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1143,7 +1143,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1152,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1163,9 +1163,9 @@ jobs: GH_AW_COMMANDS: "[\"tidy\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1206,7 +1206,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1261,9 +1261,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 0f0a1f2493a..61ea0aece79 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "typist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,10 +129,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -206,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -281,7 +281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -310,9 +310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -337,15 +337,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\"." @@ -354,7 +354,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -441,7 +441,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -466,8 +466,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -478,7 +478,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -507,7 +507,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -578,7 +578,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -717,15 +717,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -735,7 +735,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -763,18 +763,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -847,9 +847,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -910,9 +910,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -971,7 +971,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -995,9 +995,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1008,9 +1008,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1031,9 +1031,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1048,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1085,7 +1085,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1111,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 21b918bf05b..479559bb282 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -66,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,7 +92,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ubuntu-image-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,15 +132,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -172,7 +172,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -209,10 +209,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -287,7 +287,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -316,9 +316,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -340,15 +340,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ubuntu-image] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ubuntu-image] \". Labels [\"documentation\" \"automation\" \"infrastructure\"] will be automatically added." @@ -357,7 +357,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -454,7 +454,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -479,8 +479,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -491,7 +491,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -521,7 +521,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -570,7 +570,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -671,15 +671,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -689,7 +689,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -717,18 +717,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -804,9 +804,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -856,9 +856,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -917,7 +917,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -942,9 +942,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -956,9 +956,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -981,9 +981,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -999,9 +999,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1014,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1037,7 +1037,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1046,9 +1046,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Generate GitHub App token for skip-if checks id: pre-activation-app-token @@ -1069,9 +1069,9 @@ jobs: with: github-token: ${{ steps.pre-activation-app-token.outputs.token }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1111,7 +1111,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1166,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 05a22be2036..e619b3b8a67 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -81,7 +81,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -107,7 +107,7 @@ jobs: await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -128,9 +128,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -138,18 +138,18 @@ jobs: GH_AW_WORKFLOW_FILE: "unbloat-docs.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -160,9 +160,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🗜️ *Compressed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📦 Time to slim down! [{workflow_name}]({run_url}) is trimming the excess from this {event_type}...\",\"runSuccess\":\"🗜️ Docs on a diet! [{workflow_name}]({run_url}) has removed the bloat. Lean and mean! 💪\",\"runFailure\":\"📦 Unbloating paused! [{workflow_name}]({run_url}) {status}. The docs remain... fluffy.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -182,17 +182,17 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -226,7 +226,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -275,10 +275,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -353,7 +353,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install QMD @@ -419,9 +419,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -446,15 +446,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"auto_merge":true,"draft":true,"expires":48,"fallback_as_issue":false,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -465,7 +465,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -589,7 +589,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -614,8 +614,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -626,16 +626,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -663,7 +663,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -672,17 +672,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -694,7 +694,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -726,7 +726,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -761,7 +761,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -849,7 +849,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1035,15 +1035,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1053,7 +1053,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1082,27 +1082,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1192,9 +1192,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1255,9 +1255,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1319,7 +1319,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1343,9 +1343,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1356,9 +1356,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1380,9 +1380,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1397,9 +1397,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1411,9 +1411,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1430,9 +1430,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1456,7 +1456,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1465,9 +1465,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1476,9 +1476,9 @@ jobs: GH_AW_COMMANDS: "[\"unbloat\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1521,7 +1521,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1576,9 +1576,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1607,7 +1607,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1652,7 +1652,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1708,8 +1708,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index bae1e70fdf9..6de951d48ed 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +90,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "update-astro.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,15 +132,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -172,7 +172,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -211,10 +211,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -292,7 +292,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -321,9 +321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -345,15 +345,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"dependencies\"] will be automatically added." @@ -362,7 +362,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -459,7 +459,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -484,8 +484,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -496,7 +496,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -526,7 +526,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -575,7 +575,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -650,15 +650,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -668,7 +668,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -696,18 +696,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -783,9 +783,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -835,9 +835,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -930,7 +930,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -955,9 +955,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -969,9 +969,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -994,9 +994,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1012,9 +1012,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1027,9 +1027,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1050,7 +1050,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-no-match query id: check_skip_if_no_match @@ -1072,9 +1072,9 @@ jobs: GH_AW_SKIP_MIN_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_no_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_no_match.cjs'); await main(); safe_outputs: @@ -1114,7 +1114,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1169,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index b9622823a68..52272c848d0 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "video-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,10 +132,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -169,7 +169,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -208,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -283,7 +283,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -320,9 +320,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -344,15 +344,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[video-analysis] \". Labels [\"automation\" \"video-processing\" \"cookie\"] will be automatically added." @@ -361,7 +361,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -455,7 +455,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -480,8 +480,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -492,7 +492,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -522,7 +522,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -571,7 +571,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -663,15 +663,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -681,7 +681,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -709,18 +709,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -795,9 +795,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -847,9 +847,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -907,7 +907,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -931,9 +931,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -944,9 +944,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -966,9 +966,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -983,9 +983,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1021,7 +1021,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1047,9 +1047,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index ebc3edf487d..299d123a9d2 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -59,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +85,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-editors-health-check.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +125,16 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -202,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -277,7 +277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -306,9 +306,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -330,15 +330,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":168,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -348,7 +348,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -454,7 +454,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -479,8 +479,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -491,7 +491,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -525,7 +525,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -588,7 +588,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -692,15 +692,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -710,7 +710,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -738,18 +738,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -834,9 +834,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -886,9 +886,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -948,7 +948,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -973,9 +973,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -987,9 +987,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1012,9 +1012,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1087,7 +1087,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1142,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1175,7 +1175,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1231,8 +1231,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 18d1e79225c..a7f33d46fbd 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -64,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +93,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -111,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-issue-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,11 +133,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -173,7 +173,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -218,10 +218,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -295,7 +295,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -367,15 +367,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Weekly Summary] \". Discussions will be created in category \"audits\".", @@ -385,7 +385,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -481,7 +481,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -506,8 +506,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -518,7 +518,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -551,7 +551,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -601,7 +601,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -679,15 +679,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -697,7 +697,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -725,18 +725,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -826,9 +826,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -878,9 +878,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -941,7 +941,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -966,9 +966,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -980,9 +980,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1004,9 +1004,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1022,9 +1022,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1060,7 +1060,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1086,9 +1086,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1117,7 +1117,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1162,7 +1162,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1218,8 +1218,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 18d960441b1..22a53ecf0e4 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -59,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +88,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-safe-outputs-spec-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +128,15 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -168,7 +168,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -200,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -275,7 +275,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -304,9 +304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -328,15 +328,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":168,"max":1,"title_prefix":"[spec-review] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[spec-review] \". Labels [\"documentation\" \"safe-outputs\" \"automation\"] will be automatically added." @@ -345,7 +345,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -442,7 +442,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -467,8 +467,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -479,7 +479,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -509,7 +509,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -559,7 +559,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -634,15 +634,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -652,7 +652,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -680,18 +680,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -767,9 +767,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -819,9 +819,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -880,7 +880,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -905,9 +905,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -919,9 +919,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -944,9 +944,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -962,9 +962,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -977,9 +977,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1019,7 +1019,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1074,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 1a1708ca21a..542c99f8860 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -68,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +97,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -118,9 +118,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -128,18 +128,18 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-generator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -147,9 +147,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/lock-issue.cjs'); await main(); - name: Create prompt with built-in context env: @@ -169,10 +169,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_issue, assign_to_agent, missing_tool, missing_data, noop @@ -206,7 +206,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -239,10 +239,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -314,7 +314,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -343,9 +343,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -367,15 +367,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"assign_to_agent":{"allowed":["copilot"],"max":1,"target":"triggering"},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "assign_to_agent": " CONSTRAINTS: Maximum 1 issue(s) can be assigned to agent.", @@ -385,7 +385,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "assign_to_agent": { "defaultMax": 1, @@ -525,7 +525,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -550,8 +550,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -562,7 +562,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -592,7 +592,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -642,7 +642,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -717,15 +717,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -735,7 +735,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -763,18 +763,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -849,9 +849,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -901,9 +901,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -962,7 +962,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -986,9 +986,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -999,9 +999,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1023,9 +1023,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1040,9 +1040,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1065,7 +1065,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1074,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check user rate limit id: check_rate_limit @@ -1089,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); safe_outputs: @@ -1131,7 +1131,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1157,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1173,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1206,15 +1206,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/unlock-issue.cjs'); await main(); diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index ab44fb1dbb4..0e83e02bb35 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -65,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +91,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-health-manager.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,11 +132,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, missing_tool, missing_data, noop @@ -170,7 +170,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -212,10 +212,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -296,7 +296,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -312,7 +312,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -335,9 +335,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -359,15 +359,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":15},"create_issue":{"expires":24,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"update_issue":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 15 comment(s) can be added.", @@ -378,7 +378,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -544,7 +544,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -569,8 +569,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -581,7 +581,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -611,7 +611,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -660,7 +660,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -735,15 +735,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -753,7 +753,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -781,18 +781,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -876,9 +876,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -928,9 +928,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -991,7 +991,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1028,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1054,9 +1054,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1071,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1094,7 +1094,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1103,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1132,7 +1132,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1175,9 +1175,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('${{ env.GH_AW_HOME }}/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1217,7 +1217,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1243,9 +1243,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 777cd2743e0..21820b6aef9 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-normalizer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,11 +129,11 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/agentic_workflows_guide.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/agentic_workflows_guide.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -167,7 +167,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -203,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -280,7 +280,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -339,9 +339,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -375,27 +375,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[workflow-style] \". Labels [\"cookie\"] will be automatically added." @@ -404,7 +404,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -498,7 +498,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -523,8 +523,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -535,7 +535,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -566,7 +566,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -634,7 +634,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -709,15 +709,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -727,7 +727,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -755,18 +755,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -841,9 +841,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -893,9 +893,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -953,7 +953,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -978,9 +978,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -992,9 +992,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1033,9 +1033,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1072,7 +1072,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1098,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 0d9ab41ab66..29a28644455 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +89,7 @@ jobs: await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-skill-extractor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,10 +129,10 @@ jobs: cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, missing_tool, missing_data, noop @@ -166,7 +166,7 @@ jobs: GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" + cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -201,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -278,7 +278,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -307,9 +307,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh latest @@ -331,15 +331,15 @@ jobs: run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"reports\".", @@ -349,7 +349,7 @@ jobs: "dynamic_tools": [] } GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -469,7 +469,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF - node /opt/gh-aw/actions/generate_safe_outputs_tools.cjs + node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -494,8 +494,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -506,7 +506,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -536,7 +536,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -585,7 +585,7 @@ jobs: path: /tmp/gh-aw - name: Clean git credentials continue-on-error: true - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -680,15 +680,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -698,7 +698,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -726,18 +726,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -812,9 +812,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -864,9 +864,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -925,7 +925,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -949,9 +949,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -962,9 +962,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -986,9 +986,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1003,9 +1003,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1042,7 +1042,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1068,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/pkg/workflow/cache.go b/pkg/workflow/cache.go index 3f6f8dd9b42..3f0690eb5dc 100644 --- a/pkg/workflow/cache.go +++ b/pkg/workflow/cache.go @@ -360,7 +360,7 @@ func generateCacheMemorySteps(builder *strings.Builder, data *WorkflowData) { if useBackwardCompatiblePaths { // For single default cache, use the original directory for backward compatibility builder.WriteString(" - name: Create cache-memory directory\n") - builder.WriteString(" run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh\n") + builder.WriteString(" run: bash " + GhAwHome + "/actions/create_cache_memory_dir.sh\n") } else { fmt.Fprintf(builder, " - name: Create cache-memory directory (%s)\n", cache.ID) builder.WriteString(" run: |\n") @@ -498,9 +498,9 @@ func generateCacheMemoryValidation(builder *strings.Builder, data *WorkflowData) // Build validation script var validationScript strings.Builder - validationScript.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + validationScript.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") validationScript.WriteString(" setupGlobals(core, github, context, exec, io);\n") - validationScript.WriteString(" const { validateMemoryFiles } = require('/opt/gh-aw/actions/validate_memory_files.cjs');\n") + validationScript.WriteString(" const { validateMemoryFiles } = require(" + JsRequireGhAw("actions/validate_memory_files.cjs") + ");\n") fmt.Fprintf(&validationScript, " const allowedExtensions = %s;\n", allowedExtsJSON) fmt.Fprintf(&validationScript, " const result = validateMemoryFiles('%s', 'cache', allowedExtensions);\n", cacheDir) validationScript.WriteString(" if (!result.valid) {\n") diff --git a/pkg/workflow/compiler_main_job.go b/pkg/workflow/compiler_main_job.go index 5390f79e0fa..e2a0d396977 100644 --- a/pkg/workflow/compiler_main_job.go +++ b/pkg/workflow/compiler_main_job.go @@ -174,23 +174,23 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( } } - // Build job-level environment variables for safe outputs - var env map[string]string + // Build job-level environment variables + // Always inject GH_AW_HOME so callers can override it via workflow/repo env + env := map[string]string{ + "GH_AW_HOME": GhAwHomeExprDefault, + } if data.SafeOutputs != nil { - env = make(map[string]string) - // Set GH_AW_SAFE_OUTPUTS to path in /opt (read-only mount for agent container) - // The MCP server writes agent outputs to this file during execution - // This file is in /opt to prevent the agent container from having write access - env["GH_AW_SAFE_OUTPUTS"] = "/opt/gh-aw/safeoutputs/outputs.jsonl" + // Set GH_AW_SAFE_OUTPUTS using GhAwHomeExpr so it adapts to GH_AW_HOME overrides + env["GH_AW_SAFE_OUTPUTS"] = GhAwHomeExpr + "/safeoutputs/outputs.jsonl" // Set GH_AW_MCP_LOG_DIR for safe outputs MCP server logging // Store in mcp-logs directory so it's included in mcp-logs artifact env["GH_AW_MCP_LOG_DIR"] = "/tmp/gh-aw/mcp-logs/safeoutputs" - // Set config and tools paths (readonly files in /opt/gh-aw) - env["GH_AW_SAFE_OUTPUTS_CONFIG_PATH"] = "/opt/gh-aw/safeoutputs/config.json" - env["GH_AW_SAFE_OUTPUTS_TOOLS_PATH"] = "/opt/gh-aw/safeoutputs/tools.json" + // Set config and tools paths using GhAwHomeExpr + env["GH_AW_SAFE_OUTPUTS_CONFIG_PATH"] = GhAwHomeExpr + "/safeoutputs/config.json" + env["GH_AW_SAFE_OUTPUTS_TOOLS_PATH"] = GhAwHomeExpr + "/safeoutputs/tools.json" // Add asset-related environment variables // These must always be set (even to empty) because awmg v0.0.12+ validates ${VAR} references @@ -214,9 +214,6 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( // This contains the workflow ID with all hyphens removed and lowercased // Used in cache keys to avoid spaces and special characters if data.WorkflowID != "" { - if env == nil { - env = make(map[string]string) - } sanitizedID := SanitizeWorkflowIDForCacheKey(data.WorkflowID) env["GH_AW_WORKFLOW_ID_SANITIZED"] = sanitizedID } @@ -224,9 +221,6 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( // Set job-level GH_AW_INFO_APM_VERSION so the apm_restore step can reference it // via ${{ env.GH_AW_INFO_APM_VERSION }} in its with: block if data.APMDependencies != nil && len(data.APMDependencies.Packages) > 0 { - if env == nil { - env = make(map[string]string) - } apmVersion := data.APMDependencies.Version if apmVersion == "" { apmVersion = string(constants.DefaultAPMVersion) diff --git a/pkg/workflow/compiler_safe_outputs_specialized.go b/pkg/workflow/compiler_safe_outputs_specialized.go index 9217585f8d5..4e304574359 100644 --- a/pkg/workflow/compiler_safe_outputs_specialized.go +++ b/pkg/workflow/compiler_safe_outputs_specialized.go @@ -127,7 +127,7 @@ func (c *Compiler) buildCreateAgentSessionStepConfig(data *WorkflowData, mainJob return SafeOutputStepConfig{ StepName: "Create Agent Session", StepID: "create_agent_session", - Script: "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/create_agent_session.cjs") + "); await main();", CustomEnvVars: customEnvVars, Condition: condition, Token: cfg.GitHubToken, diff --git a/pkg/workflow/compiler_workflow_call.go b/pkg/workflow/compiler_workflow_call.go index 8cb8fe0db67..a37136cb356 100644 --- a/pkg/workflow/compiler_workflow_call.go +++ b/pkg/workflow/compiler_workflow_call.go @@ -47,7 +47,7 @@ func generateArtifactPrefixStep() []string { " id: artifact-prefix\n", " env:\n", " INPUTS_JSON: ${{ toJSON(inputs) }}\n", - " run: bash /opt/gh-aw/actions/compute_artifact_prefix.sh\n", + " run: bash " + GhAwHome + "/actions/compute_artifact_prefix.sh\n", } } diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index b75c59bcc04..c5f9775d7f5 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -508,13 +508,13 @@ func (c *Compiler) generatePrompt(yaml *strings.Builder, data *WorkflowData, pre yaml.WriteString(" - name: Validate prompt placeholders\n") yaml.WriteString(" env:\n") yaml.WriteString(" GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/validate_prompt_placeholders.sh\n") // Print prompt (merged into prompt generation) yaml.WriteString(" - name: Print prompt\n") yaml.WriteString(" env:\n") yaml.WriteString(" GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/print_prompt_summary.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/print_prompt_summary.sh\n") } func (c *Compiler) generatePostSteps(yaml *strings.Builder, data *WorkflowData) { if data.PostSteps != "" { @@ -677,7 +677,7 @@ func (c *Compiler) generateCreateAwInfo(yaml *strings.Builder, data *WorkflowDat fmt.Fprintf(yaml, " uses: %s\n", GetActionPin("actions/github-script")) yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/generate_aw_info.cjs") + ");\n") yaml.WriteString(" await main(core, context);\n") } @@ -736,9 +736,9 @@ func (c *Compiler) generateOutputCollectionStep(yaml *strings.Builder, data *Wor yaml.WriteString(" script: |\n") // Load script from external file using require() - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/collect_ndjson_output.cjs") + ");\n") yaml.WriteString(" await main();\n") } diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index 3b6ca34e8a6..3c670636c82 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -117,9 +117,9 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/merge_remote_agent_github_folder.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -178,7 +178,7 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat // Create /tmp/gh-aw/ base directory for all temporary files // This must be created before custom steps so they can use the temp directory yaml.WriteString(" - name: Create gh-aw temp directory\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/create_gh_aw_tmp_dir.sh\n") // Add custom steps if present if data.CustomSteps != "" { diff --git a/pkg/workflow/copilot_engine_execution.go b/pkg/workflow/copilot_engine_execution.go index f706145aa63..533f10c622b 100644 --- a/pkg/workflow/copilot_engine_execution.go +++ b/pkg/workflow/copilot_engine_execution.go @@ -408,7 +408,7 @@ func generateInferenceAccessErrorDetectionStep() GitHubActionStep { step = append(step, " id: detect-inference-error") step = append(step, " if: always()") step = append(step, " continue-on-error: true") - step = append(step, " run: bash /opt/gh-aw/actions/detect_inference_access_error.sh") + step = append(step, " run: bash "+GhAwHome+"/actions/detect_inference_access_error.sh") return GitHubActionStep(step) } diff --git a/pkg/workflow/copilot_engine_installation.go b/pkg/workflow/copilot_engine_installation.go index 06062185fc0..fd404608d91 100644 --- a/pkg/workflow/copilot_engine_installation.go +++ b/pkg/workflow/copilot_engine_installation.go @@ -161,7 +161,7 @@ func generateAWFInstallationStep(version string, agentConfig *AgentSandboxConfig stepLines := []string{ " - name: Install AWF binary", - " run: bash /opt/gh-aw/actions/install_awf_binary.sh " + version, + " run: bash " + GhAwHome + "/actions/install_awf_binary.sh " + version, } return GitHubActionStep(stepLines) diff --git a/pkg/workflow/copilot_installer.go b/pkg/workflow/copilot_installer.go index a5575274250..fa349ce3c92 100644 --- a/pkg/workflow/copilot_installer.go +++ b/pkg/workflow/copilot_installer.go @@ -27,7 +27,7 @@ func GenerateCopilotInstallerSteps(version, stepName string) []GitHubActionStep // other workflow steps. stepLines := []string{ " - name: " + stepName, - " run: /opt/gh-aw/actions/install_copilot_cli.sh " + version, + " run: " + GhAwHome + "/actions/install_copilot_cli.sh " + version, " env:", " GH_HOST: github.com", } diff --git a/pkg/workflow/docker.go b/pkg/workflow/docker.go index 6a4339fb6e1..f8f7df08e48 100644 --- a/pkg/workflow/docker.go +++ b/pkg/workflow/docker.go @@ -184,7 +184,7 @@ func generateDownloadDockerImagesStep(yaml *strings.Builder, dockerImages []stri } yaml.WriteString(" - name: Download container images\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/download_docker_images.sh") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/download_docker_images.sh") for _, image := range dockerImages { fmt.Fprintf(yaml, " %s", image) } diff --git a/pkg/workflow/mcp_github_config.go b/pkg/workflow/mcp_github_config.go index 5d90afafa07..5b08f663369 100644 --- a/pkg/workflow/mcp_github_config.go +++ b/pkg/workflow/mcp_github_config.go @@ -484,7 +484,7 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder, } yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');\n") + yaml.WriteString(" const determineAutomaticLockdown = require(" + JsRequireGhAw("actions/determine_automatic_lockdown.cjs") + ");\n") yaml.WriteString(" await determineAutomaticLockdown(github, context, core);\n") } diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go index d6cd6e9dcf4..ca494e251b4 100644 --- a/pkg/workflow/notify_comment.go +++ b/pkg/workflow/notify_comment.go @@ -119,7 +119,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "missing_tool", MainJobName: mainJobName, CustomEnvVars: missingToolEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/missing_tool.cjs") + "); await main();", ScriptFile: "missing_tool.cjs", CustomToken: data.SafeOutputs.MissingTool.GitHubToken, }) @@ -230,7 +230,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_agent_failure", MainJobName: mainJobName, CustomEnvVars: agentFailureEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_agent_failure.cjs") + "); await main();", ScriptFile: "handle_agent_failure.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -260,7 +260,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_noop_message", MainJobName: mainJobName, CustomEnvVars: noopMessageEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_noop_message.cjs") + "); await main();", ScriptFile: "handle_noop_message.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -281,7 +281,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_create_pr_error", MainJobName: mainJobName, CustomEnvVars: createPRErrorEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_create_pr_error.cjs") + "); await main();", ScriptFile: "handle_create_pr_error.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -431,6 +431,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa Environment: c.indentYAMLLines(resolveSafeOutputsEnvironment(data), " "), Permissions: permissions.RenderToYAML(), Concurrency: concurrency, + Env: map[string]string{"GH_AW_HOME": GhAwHomeExprDefault}, Steps: steps, Needs: needs, Outputs: outputs, diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index 63674ee8842..11b3ed4c42b 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -668,14 +668,14 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna // Use require() to load script from copied files using setup_globals helper step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") - step.WriteString(" const { main } = require('" + SetupActionDestination + "/push_repo_memory.cjs');\n") + step.WriteString(" const { main } = require(" + JsRequireGhAw("actions/push_repo_memory.cjs") + ");\n") step.WriteString(" await main();\n") } else { // Inline JavaScript: Attach GitHub Actions builtin objects to global scope before script execution step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript script with proper indentation - formattedScript := FormatJavaScriptForYAML("const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main();") + formattedScript := FormatJavaScriptForYAML("const { main } = require(" + JsRequireGhAw("actions/push_repo_memory.cjs") + "); await main();") for _, line := range formattedScript { step.WriteString(line) } @@ -713,6 +713,7 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna If: jobCondition, Permissions: "permissions:\n contents: write", Concurrency: concurrency, + Env: map[string]string{"GH_AW_HOME": GhAwHomeExprDefault}, Needs: []string{"agent"}, // Detection dependency added by caller if needed Steps: steps, Outputs: outputs, diff --git a/pkg/workflow/template.go b/pkg/workflow/template.go index 9bea3393b48..eaa81d6eb1f 100644 --- a/pkg/workflow/template.go +++ b/pkg/workflow/template.go @@ -123,8 +123,8 @@ func (c *Compiler) generateInterpolationAndTemplateStep(yaml *strings.Builder, e // Load interpolate_prompt script from external file // Use setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/interpolate_prompt.cjs") + ");\n") yaml.WriteString(" await main();\n") } diff --git a/pkg/workflow/unified_prompt_step.go b/pkg/workflow/unified_prompt_step.go index 068ae6bb368..165eccbf762 100644 --- a/pkg/workflow/unified_prompt_step.go +++ b/pkg/workflow/unified_prompt_step.go @@ -478,7 +478,7 @@ func (c *Compiler) generateUnifiedPromptCreationStep(yaml *strings.Builder, buil } yaml.WriteString(" run: |\n") - yaml.WriteString(" bash /opt/gh-aw/actions/create_prompt_first.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/create_prompt_first.sh\n") yaml.WriteString(" {\n") // Track if we're inside a heredoc