From 5610608e9b19ee8c9d1499f9566cab6bdaec9414 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Oct 2025 04:46:40 +0000 Subject: [PATCH 1/5] Initial plan From 567644bd0d5c6c53699c878dbf87b5ae89bc9bba Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Oct 2025 04:53:29 +0000 Subject: [PATCH 2/5] Initial exploration and plan Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/dev.firewall.lock.yml | 56 ++++--------------------- 1 file changed, 7 insertions(+), 49 deletions(-) diff --git a/.github/workflows/dev.firewall.lock.yml b/.github/workflows/dev.firewall.lock.yml index 7232998a2e..64c1bd31b7 100644 --- a/.github/workflows/dev.firewall.lock.yml +++ b/.github/workflows/dev.firewall.lock.yml @@ -118,19 +118,6 @@ jobs: uses: actions/setup-node@v4 with: node-version: '24' - - name: Install awf binary - run: | - LATEST_TAG=$(gh release view --repo githubnext/gh-aw-firewall --json tagName --jq .tagName) - echo "Installing awf from release: $LATEST_TAG" - curl -L https://github.com/githubnext/gh-aw-firewall/releases/download/${LATEST_TAG}/awf-linux-x64 -o awf - chmod +x awf - sudo mv awf /usr/local/bin/ - which awf - awf --version - env: - GH_TOKEN: ${{ github.token }} - - name: Cleanup any existing awf resources - run: ./scripts/ci/cleanup.sh || true - name: Install GitHub Copilot CLI run: npm install -g @github/copilot@0.0.347 - name: Downloading container images @@ -356,7 +343,7 @@ jobs: if-no-files-found: warn - name: Capture agent version run: | - VERSION_OUTPUT=$(npx -y @github/copilot@0.0.347 --version 2>&1 || echo "unknown") + VERSION_OUTPUT=$(copilot --version 2>&1 || echo "unknown") # Extract semantic version pattern (e.g., 1.2.3, v1.2.3-beta) CLEAN_VERSION=$(echo "$VERSION_OUTPUT" | grep -oE 'v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?' | head -n1 || echo "unknown") echo "AGENT_VERSION=$CLEAN_VERSION" >> $GITHUB_ENV @@ -408,20 +395,12 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all \ - --allow-domains api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org \ - --log-level debug \ - 'npx -y @github/copilot@0.0.347 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --allow-tool github --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' \ - 2>&1 | tee /tmp/gh-aw/agent-stdio.log - - # Move preserved Copilot logs to expected location - COPILOT_LOGS_DIR=$(ls -td /tmp/copilot-logs-* 2>/dev/null | head -1) - if [ -n "$COPILOT_LOGS_DIR" ] && [ -d "$COPILOT_LOGS_DIR" ]; then - echo "Moving Copilot logs from $COPILOT_LOGS_DIR to /tmp/gh-aw/.copilot/logs/" - mkdir -p /tmp/gh-aw/.copilot/logs/ - mv "$COPILOT_LOGS_DIR"/* /tmp/gh-aw/.copilot/logs/ || true - rmdir "$COPILOT_LOGS_DIR" || true - fi + COPILOT_CLI_INSTRUCTION=$(cat /tmp/gh-aw/aw-prompts/prompt.txt) + mkdir -p /tmp/ + mkdir -p /tmp/gh-aw/ + mkdir -p /tmp/gh-aw/agent/ + mkdir -p /tmp/gh-aw/.copilot/logs/ + copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/.copilot/logs/ --disable-builtin-mcps --allow-tool github --prompt "$COPILOT_CLI_INSTRUCTION" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json @@ -559,24 +538,6 @@ jobs: name: mcp-logs path: /tmp/gh-aw/mcp-logs/ if-no-files-found: ignore - - name: Agent Firewall logs - if: always() - run: | - # Squid logs are preserved in timestamped directories - SQUID_LOGS_DIR=$(ls -td /tmp/squid-logs-* 2>/dev/null | head -1) - if [ -n "$SQUID_LOGS_DIR" ] && [ -d "$SQUID_LOGS_DIR" ]; then - echo "Found Squid logs at: $SQUID_LOGS_DIR" - mkdir -p /tmp/gh-aw/squid-logs-dev-firewall/ - sudo cp -r "$SQUID_LOGS_DIR"/* /tmp/gh-aw/squid-logs-dev-firewall/ || true - sudo chmod -R a+r /tmp/gh-aw/squid-logs-dev-firewall/ || true - fi - - name: Upload Squid logs - if: always() - uses: actions/upload-artifact@v4 - with: - name: squid-logs-dev-firewall - path: /tmp/gh-aw/squid-logs-dev-firewall/ - if-no-files-found: ignore - name: Parse agent logs for step summary if: always() uses: actions/github-script@v8 @@ -1406,9 +1367,6 @@ jobs: name: agent-stdio.log path: /tmp/gh-aw/agent-stdio.log if-no-files-found: warn - - name: Cleanup awf resources - if: always() - run: ./scripts/ci/cleanup.sh || true - name: Validate agent logs for errors if: always() uses: actions/github-script@v8 From 679de5ca7d430e81fac1c465cbb5a120735c3ab5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Oct 2025 04:58:10 +0000 Subject: [PATCH 3/5] Remove "defaults" section from main JSON schema - Removed top-level "defaults" property definition (lines 1073-1094) - Removed "$ref" to defaults within jobs section (lines 1197-1199) - Removed "defaults" from PriorityJobFields constant in constants.go - Removed test cases that used the defaults field - All tests pass and workflows compile successfully Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/dev.firewall.lock.yml | 56 +++++++++++++++++--- pkg/constants/constants.go | 2 +- pkg/parser/schema_test.go | 26 --------- pkg/parser/schemas/main_workflow_schema.json | 25 --------- 4 files changed, 50 insertions(+), 59 deletions(-) diff --git a/.github/workflows/dev.firewall.lock.yml b/.github/workflows/dev.firewall.lock.yml index 64c1bd31b7..7232998a2e 100644 --- a/.github/workflows/dev.firewall.lock.yml +++ b/.github/workflows/dev.firewall.lock.yml @@ -118,6 +118,19 @@ jobs: uses: actions/setup-node@v4 with: node-version: '24' + - name: Install awf binary + run: | + LATEST_TAG=$(gh release view --repo githubnext/gh-aw-firewall --json tagName --jq .tagName) + echo "Installing awf from release: $LATEST_TAG" + curl -L https://github.com/githubnext/gh-aw-firewall/releases/download/${LATEST_TAG}/awf-linux-x64 -o awf + chmod +x awf + sudo mv awf /usr/local/bin/ + which awf + awf --version + env: + GH_TOKEN: ${{ github.token }} + - name: Cleanup any existing awf resources + run: ./scripts/ci/cleanup.sh || true - name: Install GitHub Copilot CLI run: npm install -g @github/copilot@0.0.347 - name: Downloading container images @@ -343,7 +356,7 @@ jobs: if-no-files-found: warn - name: Capture agent version run: | - VERSION_OUTPUT=$(copilot --version 2>&1 || echo "unknown") + VERSION_OUTPUT=$(npx -y @github/copilot@0.0.347 --version 2>&1 || echo "unknown") # Extract semantic version pattern (e.g., 1.2.3, v1.2.3-beta) CLEAN_VERSION=$(echo "$VERSION_OUTPUT" | grep -oE 'v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?' | head -n1 || echo "unknown") echo "AGENT_VERSION=$CLEAN_VERSION" >> $GITHUB_ENV @@ -395,12 +408,20 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - COPILOT_CLI_INSTRUCTION=$(cat /tmp/gh-aw/aw-prompts/prompt.txt) - mkdir -p /tmp/ - mkdir -p /tmp/gh-aw/ - mkdir -p /tmp/gh-aw/agent/ - mkdir -p /tmp/gh-aw/.copilot/logs/ - copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/.copilot/logs/ --disable-builtin-mcps --allow-tool github --prompt "$COPILOT_CLI_INSTRUCTION" 2>&1 | tee /tmp/gh-aw/agent-stdio.log + sudo -E awf --env-all \ + --allow-domains api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org \ + --log-level debug \ + 'npx -y @github/copilot@0.0.347 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --allow-tool github --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' \ + 2>&1 | tee /tmp/gh-aw/agent-stdio.log + + # Move preserved Copilot logs to expected location + COPILOT_LOGS_DIR=$(ls -td /tmp/copilot-logs-* 2>/dev/null | head -1) + if [ -n "$COPILOT_LOGS_DIR" ] && [ -d "$COPILOT_LOGS_DIR" ]; then + echo "Moving Copilot logs from $COPILOT_LOGS_DIR to /tmp/gh-aw/.copilot/logs/" + mkdir -p /tmp/gh-aw/.copilot/logs/ + mv "$COPILOT_LOGS_DIR"/* /tmp/gh-aw/.copilot/logs/ || true + rmdir "$COPILOT_LOGS_DIR" || true + fi env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json @@ -538,6 +559,24 @@ jobs: name: mcp-logs path: /tmp/gh-aw/mcp-logs/ if-no-files-found: ignore + - name: Agent Firewall logs + if: always() + run: | + # Squid logs are preserved in timestamped directories + SQUID_LOGS_DIR=$(ls -td /tmp/squid-logs-* 2>/dev/null | head -1) + if [ -n "$SQUID_LOGS_DIR" ] && [ -d "$SQUID_LOGS_DIR" ]; then + echo "Found Squid logs at: $SQUID_LOGS_DIR" + mkdir -p /tmp/gh-aw/squid-logs-dev-firewall/ + sudo cp -r "$SQUID_LOGS_DIR"/* /tmp/gh-aw/squid-logs-dev-firewall/ || true + sudo chmod -R a+r /tmp/gh-aw/squid-logs-dev-firewall/ || true + fi + - name: Upload Squid logs + if: always() + uses: actions/upload-artifact@v4 + with: + name: squid-logs-dev-firewall + path: /tmp/gh-aw/squid-logs-dev-firewall/ + if-no-files-found: ignore - name: Parse agent logs for step summary if: always() uses: actions/github-script@v8 @@ -1367,6 +1406,9 @@ jobs: name: agent-stdio.log path: /tmp/gh-aw/agent-stdio.log if-no-files-found: warn + - name: Cleanup awf resources + if: always() + run: ./scripts/ci/cleanup.sh || true - name: Validate agent logs for errors if: always() uses: actions/github-script@v8 diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 14a10a1446..c93ea90a83 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -317,7 +317,7 @@ var PriorityStepFields = []string{"name", "id", "if", "run", "uses", "script", " // PriorityJobFields defines the conventional field order for GitHub Actions workflow jobs // Fields appear in this order first, followed by remaining fields alphabetically -var PriorityJobFields = []string{"name", "runs-on", "needs", "if", "permissions", "environment", "concurrency", "outputs", "env", "defaults", "steps"} +var PriorityJobFields = []string{"name", "runs-on", "needs", "if", "permissions", "environment", "concurrency", "outputs", "env", "steps"} // PriorityWorkflowFields defines the conventional field order for top-level GitHub Actions workflow frontmatter // Fields appear in this order first, followed by remaining fields alphabetically diff --git a/pkg/parser/schema_test.go b/pkg/parser/schema_test.go index 1774f6180d..18b58db2d2 100644 --- a/pkg/parser/schema_test.go +++ b/pkg/parser/schema_test.go @@ -723,32 +723,6 @@ func TestValidateMainWorkflowFrontmatterWithSchema(t *testing.T) { }, wantErr: false, }, - { - name: "valid GitHub Actions defaults property", - frontmatter: map[string]any{ - "on": "push", - "defaults": map[string]any{ - "run": map[string]any{ - "shell": "bash", - "working-directory": "/app", - }, - }, - }, - wantErr: false, - }, - { - name: "invalid defaults with additional properties", - frontmatter: map[string]any{ - "defaults": map[string]any{ - "run": map[string]any{ - "shell": "bash", - "invalid_prop": "value", - }, - }, - }, - wantErr: true, - errContains: "additional properties 'invalid_prop' not allowed", - }, { name: "valid claude engine with network permissions", frontmatter: map[string]any{ diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index a1ba9f42d2..2b82980d6d 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -1070,28 +1070,6 @@ "type": "string", "description": "Custom name for workflow runs that appears in the GitHub Actions interface (supports GitHub expressions like ${{ github.event.issue.title }})" }, - "defaults": { - "type": "object", - "description": "Default settings that will apply to all jobs in the workflow", - "additionalProperties": false, - "properties": { - "run": { - "type": "object", - "description": "Default shell and working directory", - "additionalProperties": false, - "properties": { - "shell": { - "type": "string", - "description": "Default shell for run steps" - }, - "working-directory": { - "type": "string", - "description": "Default working directory for run steps" - } - } - } - } - }, "jobs": { "type": "object", "description": "Groups together all the jobs that run in the workflow", @@ -1194,9 +1172,6 @@ "type": "string" } }, - "defaults": { - "$ref": "#/properties/defaults" - }, "concurrency": { "$ref": "#/properties/concurrency" } From 2cc10e371081da4a4beac463fe7e6c857cc3a95f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Oct 2025 05:03:49 +0000 Subject: [PATCH 4/5] Remove "defaults" section from main JSON schema Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../src/content/docs/reference/frontmatter-full.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md index 79e9b91b58..04f9837747 100644 --- a/docs/src/content/docs/reference/frontmatter-full.md +++ b/docs/src/content/docs/reference/frontmatter-full.md @@ -620,20 +620,6 @@ permissions: # (optional) run-name: "example-value" -# Default settings that will apply to all jobs in the workflow -# (optional) -defaults: - # Default shell and working directory - # (optional) - run: - # Default shell for run steps - # (optional) - shell: "example-value" - - # Default working directory for run steps - # (optional) - working-directory: "example-value" - # Groups together all the jobs that run in the workflow # (optional) jobs: From dba2d2cd6fe0772c59219a552c6bc230081f73c2 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 23 Oct 2025 05:13:14 +0000 Subject: [PATCH 5/5] Add changeset for schema defaults removal --- .changeset/minor-remove-defaults-schema.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/minor-remove-defaults-schema.md diff --git a/.changeset/minor-remove-defaults-schema.md b/.changeset/minor-remove-defaults-schema.md new file mode 100644 index 0000000000..c644095711 --- /dev/null +++ b/.changeset/minor-remove-defaults-schema.md @@ -0,0 +1,5 @@ +--- +"gh-aw": minor +--- + +Remove "defaults" section from main JSON schema