diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 6f4a8809212..534e69e24fb 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -21,7 +21,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8b8e7739047a7e1a0c6540f7574b93437f0a2b7607c424e28a72fd5745c56be5","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b614d2b177f891f2474ec04ef2dadf47a16142bc2933d8a36a8e165870fae677","strict":true,"agent_id":"copilot"} name: "Constraint Solving — Problem of the Day" "on": diff --git a/.github/workflows/constraint-solving-potd.md b/.github/workflows/constraint-solving-potd.md index 87b79c4a1b8..41af9d795b5 100644 --- a/.github/workflows/constraint-solving-potd.md +++ b/.github/workflows/constraint-solving-potd.md @@ -18,7 +18,7 @@ safe-outputs: title-prefix: "🧩 Constraint Solving POTD:" labels: [constraint-solving, problem-of-the-day] close-older-discussions: true - expires: 7 + expires: 7d --- # Constraint Solving — Problem of the Day @@ -116,4 +116,4 @@ List 2–4 seminal or accessible references: When you have written the problem discussion, post it using `create-discussion`. -If today's category was recently covered and you cannot find a sufficiently different problem, call `noop` with an explanation of why you skipped. +If today's category was recently covered and you cannot find a sufficiently different problem, call `noop` with an explanation of why you skipped. \ No newline at end of file diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 2d9d2508248..5a0e0096737 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -21,7 +21,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"23a89d50ad95694dbbfba8c7872a41f03697c87526de949a7725c12497d05d1c","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a483a637eae7d8a0f5a045245c6f5d72ec408dd470865a2cd889122b1ac18680","strict":true,"agent_id":"copilot"} name: "Contribution Check" "on": diff --git a/.github/workflows/contribution-check.md b/.github/workflows/contribution-check.md index c26f2c6b529..09da9119f85 100644 --- a/.github/workflows/contribution-check.md +++ b/.github/workflows/contribution-check.md @@ -23,7 +23,7 @@ safe-outputs: labels: - contribution-report close-older-issues: true - expires: 1 + expires: 1d add-labels: allowed: [spam, needs-work, outdated, lgtm] max: 4 @@ -185,4 +185,4 @@ If any subagent call failed (❓), also apply `outdated`. ```json {"noop": {"message": "No action needed: [brief explanation of what was analyzed and why]"}} -``` +``` \ No newline at end of file diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 6e3454f07f3..c161c1e09c1 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -26,7 +26,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"15c319e318a6b9de87fc6b5acd2a3c80463bb2ac5970875c00ce5325d428a71d","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"219c5898fd299f2ed4fb902a027b8acdc19ea0405f85f6af82d20abc1a27a076","strict":true,"agent_id":"copilot"} name: "Architecture Diagram Generator" "on": diff --git a/.github/workflows/daily-architecture-diagram.md b/.github/workflows/daily-architecture-diagram.md index 3f8364e5aec..e48def3bb9c 100644 --- a/.github/workflows/daily-architecture-diagram.md +++ b/.github/workflows/daily-architecture-diagram.md @@ -22,10 +22,10 @@ safe-outputs: title-prefix: "🏗️ Architecture Diagram:" labels: [architecture, diagram] close-older-issues: true - expires: 7 + expires: 7d max: 1 create-pull-request: - expires: 7 + expires: 7d title-prefix: "[architecture] " labels: [architecture, diagram, documentation] noop: @@ -207,4 +207,4 @@ This diagram shows the package structure and dependencies of the `gh-aw` codebas ```` - When the diagram **changes**: update `scratchpad/architecture.md` via `create_pull_request` with a PR titled `[architecture] Update architecture diagram - `. -- When the diagram is **unchanged** (noop path): skip the scratchpad update entirely. +- When the diagram is **unchanged** (noop path): skip the scratchpad update entirely. \ No newline at end of file diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index db5b1b36686..5211e110542 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -34,7 +34,7 @@ # # inlined-imports: true # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"9a4d79294c209d0051ffe00014b288b54a2be522a7908fd96f44fab6aa5c9e60","strict":true,"agent_id":"claude"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fe699b7701341977425ab709b5fa92bd1ca9d99e83fc3f6472e7749dbfe01e02","agent_id":"claude"} name: "Smoke Claude" "on": @@ -109,7 +109,7 @@ jobs: GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_APM_VERSION: "v0.8.3" GH_AW_INFO_FIREWALL_TYPE: "squid" - GH_AW_COMPILED_STRICT: "true" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-claude.md b/.github/workflows/smoke-claude.md index 20c974ecf24..39a42041613 100644 --- a/.github/workflows/smoke-claude.md +++ b/.github/workflows/smoke-claude.md @@ -19,7 +19,7 @@ name: Smoke Claude engine: id: claude max-turns: 100 -strict: true +strict: false inlined-imports: true imports: - shared/mcp-pagination.md diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index f99faf2084a..4480cc7bcdf 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -27,7 +27,7 @@ # - shared/gh.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0f4668b9ab1badf192f489c4a66a16cdaa218a0f31d7ad325ec26159e0d7e4d8","strict":true,"agent_id":"codex"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8ccab7e12d1831d3a6e67bf289dbda8640b9254de4657fc2b2d8cfc3f33fcfb9","agent_id":"codex"} name: "Smoke Codex" "on": @@ -99,7 +99,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.24.5" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" - GH_AW_COMPILED_STRICT: "true" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-codex.md b/.github/workflows/smoke-codex.md index 87b345ae83e..49ce9c71e9a 100644 --- a/.github/workflows/smoke-codex.md +++ b/.github/workflows/smoke-codex.md @@ -14,7 +14,7 @@ permissions: pull-requests: read name: Smoke Codex engine: codex -strict: true +strict: false imports: - shared/gh.md - shared/reporting.md diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 5612a90b980..067c7b3b4c2 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -28,7 +28,7 @@ # - shared/github-queries-mcp-script.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"7d98a942c43c77f4d9757066e1492cdd3c197fb6272337d072c67412dfa07e95","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b8c52bb25dd5e53dd4cd9c19582e7759a58d025d7218306c34c3789d82c383e9","agent_id":"copilot"} name: "Smoke Copilot ARM64" "on": @@ -98,7 +98,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.24.5" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" - GH_AW_COMPILED_STRICT: "true" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-copilot-arm.md b/.github/workflows/smoke-copilot-arm.md index f54a95bd6a1..39abe9bbd6a 100644 --- a/.github/workflows/smoke-copilot-arm.md +++ b/.github/workflows/smoke-copilot-arm.md @@ -108,7 +108,7 @@ safe-outputs: run-success: "📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤" run-failure: "📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident..." timeout-minutes: 15 -strict: true +strict: false --- # Smoke Test: Copilot Engine Validation (ARM64) diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 2ca4c376296..581454899f1 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -28,7 +28,7 @@ # - shared/github-queries-mcp-script.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c69fb0db5e338569de880edcb18e606cf17efe9016ab532a0c4f17c1ba71729c","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"9a25686dcb16bf3ce0e37b5b72799686f0fc1d8cd14a06249604373fb9d0a59c","agent_id":"copilot"} name: "Smoke Copilot" "on": @@ -100,7 +100,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.24.5" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" - GH_AW_COMPILED_STRICT: "true" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-copilot.md b/.github/workflows/smoke-copilot.md index afe8607e57a..cdf79211f9f 100644 --- a/.github/workflows/smoke-copilot.md +++ b/.github/workflows/smoke-copilot.md @@ -116,7 +116,7 @@ safe-outputs: run-success: "📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤" run-failure: "📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident..." timeout-minutes: 15 -strict: true +strict: false --- # Smoke Test: Copilot Engine Validation diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 9d2f748e442..b819502f416 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -20,9 +20,9 @@ # # For more information: https://github.github.com/gh-aw/introduction/overview/ # -# Smoke test validating cross-repo pull request creation in githubnext/gh-aw-side-repo +# Smoke test validating cross-repo pull request creation in github/gh-aw-side-repo # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"23144cc5cfaff8c43f78aeac9193fc954d2391a4d6fc0207772ebb4127c0ad56","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"65c1c88218bd8753bc2cf126b203276b895f77cab886d5e031b4f7a9fae628aa","strict":true,"agent_id":"copilot"} name: "Smoke Create Cross-Repo PR" "on": @@ -135,7 +135,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_WORKFLOW_NAME: "Smoke Create Cross-Repo PR" - GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in github/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in github/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -199,7 +199,7 @@ jobs: - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ {{/if}} - **checkouts**: The following repositories have been checked out and are available in the workspace: - - `$GITHUB_WORKSPACE` → `githubnext/gh-aw-side-repo` (cwd) [shallow clone, fetch-depth=1 (default)] + - `$GITHUB_WORKSPACE` → `github/gh-aw-side-repo` (cwd) [shallow clone, fetch-depth=1 (default)] - **Note**: If a branch you need is not in the list above and is not listed as an additional fetched ref, it has NOT been checked out. For private repositories you cannot fetch it without proper authentication. If the branch is required and not available, exit with an error and ask the user to add it to the `fetch:` option of the `checkout:` configuration (e.g., `fetch: ["refs/pulls/open/*"]` for all open PR refs, or `fetch: ["main", "feature/my-branch"]` for specific branches). @@ -325,11 +325,11 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - name: Checkout githubnext/gh-aw-side-repo + - name: Checkout github/gh-aw-side-repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - repository: githubnext/gh-aw-side-repo + repository: github/gh-aw-side-repo token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} - name: Create gh-aw temp directory run: bash ${RUNNER_TEMP}/gh-aw/actions/create_gh_aw_tmp_dir.sh @@ -387,7 +387,7 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' - {"add_comment":{"max":2},"create_issue":{"expires":2,"max":1},"create_pull_request":{"draft":true,"expires":24,"fallback_as_issue":false,"max":1,"target-repo":"githubnext/gh-aw-side-repo","title_prefix":"[smoke] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"add_comment":{"max":2},"create_issue":{"expires":2,"max":1},"create_pull_request":{"draft":true,"expires":24,"fallback_as_issue":false,"max":1,"target-repo":"github/gh-aw-side-repo","title_prefix":"[smoke] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | @@ -871,7 +871,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: WORKFLOW_NAME: "Smoke Create Cross-Repo PR" - WORKFLOW_DESCRIPTION: "Smoke test validating cross-repo pull request creation in githubnext/gh-aw-side-repo" + WORKFLOW_DESCRIPTION: "Smoke test validating cross-repo pull request creation in github/gh-aw-side-repo" HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | @@ -1046,7 +1046,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }} - GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in github/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in github/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" GH_AW_GROUP_REPORTS: "false" GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" @@ -1099,7 +1099,7 @@ jobs: GH_AW_WORKFLOW_NAME: "Smoke Create Cross-Repo PR" GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_DETECTION_CONCLUSION: ${{ needs.agent.outputs.detection_conclusion }} - GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in github/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in github/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1158,7 +1158,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-create-cross-repo-pr" GH_AW_ENGINE_ID: "copilot" - GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in github/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in github/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-create-cross-repo-pr" GH_AW_WORKFLOW_NAME: "Smoke Create Cross-Repo PR" outputs: @@ -1210,7 +1210,7 @@ jobs: if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - repository: githubnext/gh-aw-side-repo + repository: github/gh-aw-side-repo ref: ${{ github.base_ref || github.event.pull_request.base.ref || github.ref_name || github.event.repository.default_branch }} token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} persist-credentials: false @@ -1218,7 +1218,7 @@ jobs: - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: - REPO_NAME: "githubnext/gh-aw-side-repo" + REPO_NAME: "github/gh-aw-side-repo" SERVER_URL: ${{ github.server_url }} GIT_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }} run: | @@ -1245,7 +1245,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,127.0.0.1,::1,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,app.renovatebot.com,appveyor.com,archive.ubuntu.com,azure.archive.ubuntu.com,badgen.net,circleci.com,codacy.com,codeclimate.com,codecov.io,codeload.github.com,coveralls.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deepsource.io,docs.github.com,drone.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,img.shields.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,localhost,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,readthedocs.io,readthedocs.org,registry.npmjs.org,renovatebot.com,s.symcb.com,s.symcd.com,security.ubuntu.com,semaphoreci.com,shields.io,snyk.io,sonarcloud.io,sonarqube.com,telemetry.enterprise.githubcopilot.com,travis-ci.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":2},\"create_issue\":{\"close_older_issues\":true,\"expires\":2,\"labels\":[\"automation\",\"testing\"],\"max\":1},\"create_pull_request\":{\"draft\":true,\"expires\":24,\"fallback_as_issue\":false,\"github-token\":\"${{ secrets.GH_AW_SIDE_REPO_PAT }}\",\"if_no_changes\":\"error\",\"labels\":[\"smoke-test\"],\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"target-repo\":\"githubnext/gh-aw-side-repo\",\"title_prefix\":\"[smoke] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":2},\"create_issue\":{\"close_older_issues\":true,\"expires\":2,\"labels\":[\"automation\",\"testing\"],\"max\":1},\"create_pull_request\":{\"draft\":true,\"expires\":24,\"fallback_as_issue\":false,\"github-token\":\"${{ secrets.GH_AW_SIDE_REPO_PAT }}\",\"if_no_changes\":\"error\",\"labels\":[\"smoke-test\"],\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"target-repo\":\"github/gh-aw-side-repo\",\"title_prefix\":\"[smoke] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"}}" GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }} with: diff --git a/.github/workflows/smoke-create-cross-repo-pr.md b/.github/workflows/smoke-create-cross-repo-pr.md index b5df9fba6a2..dbc0c647816 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.md +++ b/.github/workflows/smoke-create-cross-repo-pr.md @@ -1,6 +1,6 @@ --- name: Smoke Create Cross-Repo PR -description: Smoke test validating cross-repo pull request creation in githubnext/gh-aw-side-repo +description: Smoke test validating cross-repo pull request creation in github/gh-aw-side-repo on: schedule: every 12h workflow_dispatch: @@ -20,7 +20,7 @@ network: - github checkout: - - repository: githubnext/gh-aw-side-repo + - repository: github/gh-aw-side-repo github-token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} tools: @@ -34,7 +34,7 @@ tools: safe-outputs: allowed-domains: [default-safe-outputs] create-pull-request: - target-repo: "githubnext/gh-aw-side-repo" + target-repo: "github/gh-aw-side-repo" github-token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} title-prefix: "[smoke] " labels: [smoke-test] @@ -51,8 +51,8 @@ safe-outputs: max: 2 messages: footer: "> 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}" - run-started: "🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo..." - run-success: "✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!" + run-started: "🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in github/gh-aw-side-repo..." + run-success: "✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in github/gh-aw-side-repo!" run-failure: "❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}" timeout-minutes: 10 @@ -107,4 +107,4 @@ Status: cross-repo PR creation smoke test - "Smoke Test: Copilot - Cross-repo create PR ${{ github.run_id }}" - The line that was added to the cross-repo PR - Overall status: SUCCESS - - Run URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + - Run URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} \ No newline at end of file diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index f34a3c71c2d..15ece41a700 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -20,9 +20,9 @@ # # For more information: https://github.github.com/gh-aw/introduction/overview/ # -# Smoke test validating cross-repo pull request updates in githubnext/gh-aw-side-repo by adding lines from Homer's Odyssey to the README +# Smoke test validating cross-repo pull request updates in github/gh-aw-side-repo by adding lines from Homer's Odyssey to the README # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"1b83093f25431da3943130e4dc7707a88b79a2f8454e38a5773f5f5031b6b1d2","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b2779782e046af3e7d6bf341c0986e2981403799645d57898bd72ae136f133df","strict":true,"agent_id":"copilot"} name: "Smoke Update Cross-Repo PR" "on": @@ -135,7 +135,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_WORKFLOW_NAME: "Smoke Update Cross-Repo PR" - GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to github/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -200,7 +200,7 @@ jobs: - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ {{/if}} - **checkouts**: The following repositories have been checked out and are available in the workspace: - - `$GITHUB_WORKSPACE` → `githubnext/gh-aw-side-repo` (cwd) [full history, all branches available as remote-tracking refs] [additional refs fetched: main, refs/pulls/open/*] + - `$GITHUB_WORKSPACE` → `github/gh-aw-side-repo` (cwd) [full history, all branches available as remote-tracking refs] [additional refs fetched: main, refs/pulls/open/*] - **Note**: If a branch you need is not in the list above and is not listed as an additional fetched ref, it has NOT been checked out. For private repositories you cannot fetch it without proper authentication. If the branch is required and not available, exit with an error and ask the user to add it to the `fetch:` option of the `checkout:` configuration (e.g., `fetch: ["refs/pulls/open/*"]` for all open PR refs, or `fetch: ["main", "feature/my-branch"]` for specific branches). @@ -332,14 +332,14 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - name: Checkout githubnext/gh-aw-side-repo + - name: Checkout github/gh-aw-side-repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - repository: githubnext/gh-aw-side-repo + repository: github/gh-aw-side-repo token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} fetch-depth: 0 - - name: Fetch additional refs for githubnext/gh-aw-side-repo + - name: Fetch additional refs for github/gh-aw-side-repo env: GH_AW_FETCH_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }} run: | @@ -884,7 +884,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: WORKFLOW_NAME: "Smoke Update Cross-Repo PR" - WORKFLOW_DESCRIPTION: "Smoke test validating cross-repo pull request updates in githubnext/gh-aw-side-repo by adding lines from Homer's Odyssey to the README" + WORKFLOW_DESCRIPTION: "Smoke test validating cross-repo pull request updates in github/gh-aw-side-repo by adding lines from Homer's Odyssey to the README" HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | @@ -1060,7 +1060,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }} - GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to github/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" GH_AW_GROUP_REPORTS: "false" GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" @@ -1099,7 +1099,7 @@ jobs: GH_AW_WORKFLOW_NAME: "Smoke Update Cross-Repo PR" GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_DETECTION_CONCLUSION: ${{ needs.agent.outputs.detection_conclusion }} - GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to github/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1158,7 +1158,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-update-cross-repo-pr" GH_AW_ENGINE_ID: "copilot" - GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to github/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-update-cross-repo-pr" GH_AW_WORKFLOW_NAME: "Smoke Update Cross-Repo PR" outputs: @@ -1244,7 +1244,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,127.0.0.1,::1,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,app.renovatebot.com,appveyor.com,archive.ubuntu.com,azure.archive.ubuntu.com,badgen.net,circleci.com,codacy.com,codeclimate.com,codecov.io,codeload.github.com,coveralls.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deepsource.io,docs.github.com,drone.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,img.shields.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,localhost,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,readthedocs.io,readthedocs.org,registry.npmjs.org,renovatebot.com,s.symcb.com,s.symcd.com,security.ubuntu.com,semaphoreci.com,shields.io,snyk.io,sonarcloud.io,sonarqube.com,telemetry.enterprise.githubcopilot.com,travis-ci.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":2},\"create_issue\":{\"close_older_issues\":true,\"expires\":2,\"labels\":[\"automation\",\"testing\"],\"max\":1},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"push_to_pull_request_branch\":{\"github-token\":\"${{ secrets.GH_AW_SIDE_REPO_PAT }}\",\"if_no_changes\":\"error\",\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"target\":\"1\",\"target-repo\":\"githubnext/gh-aw-side-repo\"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":2},\"create_issue\":{\"close_older_issues\":true,\"expires\":2,\"labels\":[\"automation\",\"testing\"],\"max\":1},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"push_to_pull_request_branch\":{\"github-token\":\"${{ secrets.GH_AW_SIDE_REPO_PAT }}\",\"if_no_changes\":\"error\",\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"target\":\"1\",\"target-repo\":\"github/gh-aw-side-repo\"}}" GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }} with: diff --git a/.github/workflows/smoke-update-cross-repo-pr.md b/.github/workflows/smoke-update-cross-repo-pr.md index 4da7a8103d1..91cd3d2486e 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.md +++ b/.github/workflows/smoke-update-cross-repo-pr.md @@ -1,6 +1,6 @@ --- name: Smoke Update Cross-Repo PR -description: Smoke test validating cross-repo pull request updates in githubnext/gh-aw-side-repo by adding lines from Homer's Odyssey to the README +description: Smoke test validating cross-repo pull request updates in github/gh-aw-side-repo by adding lines from Homer's Odyssey to the README on: schedule: every 12h @@ -21,7 +21,7 @@ network: - github checkout: - - repository: githubnext/gh-aw-side-repo + - repository: github/gh-aw-side-repo github-token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} fetch: ["main", "refs/pulls/open/*"] # fetch all open PR refs after checkout fetch-depth: 0 # fetch full history to ensure we can see all commits and PR details @@ -45,13 +45,13 @@ safe-outputs: hide-older-comments: true max: 2 push-to-pull-request-branch: - target-repo: "githubnext/gh-aw-side-repo" + target-repo: "github/gh-aw-side-repo" github-token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} if-no-changes: "error" target: "1" # PR #1 messages: footer: "> 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}" - run-started: "📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1..." + run-started: "📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to github/gh-aw-side-repo PR #1..." run-success: "✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!" run-failure: "❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}" @@ -94,4 +94,4 @@ Mark this step ✅ if the checkout succeeds, ❌ otherwise. - "Smoke Test: Copilot - Cross-repo update PR ${{ github.run_id }}" - The line that was added to the cross-repo PR - Overall status: SUCCESS - - Run URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + - Run URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} \ No newline at end of file diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md index 959489a0783..7962401548d 100644 --- a/docs/src/content/docs/reference/frontmatter-full.md +++ b/docs/src/content/docs/reference/frontmatter-full.md @@ -206,6 +206,65 @@ on: # discussion). label_command: "example-value" + # Option 2: Label command configuration object with label name(s) and optional + # event filtering. + label_command: + # Label name(s) that trigger the workflow when added to an issue, pull request, or + # discussion. + # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: Single label name that acts as a command (e.g., 'deploy' triggers the + # workflow when the 'deploy' label is added). + name: "My Workflow" + + # Option 2: Array of label names — any of these labels will trigger the workflow. + name: [] + # Array items: A label name + + # Alternative to 'name': label name(s) that trigger the workflow. + # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: Single label name. + names: "example-value" + + # Option 2: Array of label names — any of these labels will trigger the workflow. + names: [] + # Array items: A label name + + # Item types where the label-command trigger should be active. Default is all + # supported types: issues, pull_request, discussion. + # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: Single item type or '*' for all types. + events: "*" + + # Option 2: Array of item types where the trigger is active. + events: [] + # Array items: Item type. + + # Whether to automatically remove the triggering label after the workflow starts. + # Defaults to true. Set to false to keep the label on the item and skip the + # label-removal step. When false, the issues:write and discussions:write + # permissions required for label removal are also omitted. + # (optional) + remove_label: true + + # On Label Command trigger: fires when a specific label is added to an issue, pull + # request, or discussion. The triggering label is automatically removed at + # workflow start so it can be applied again to re-trigger. Use the 'events' field + # to restrict which item types (issues, pull_request, discussion) activate the + # trigger. + # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: Label name as a string (shorthand format). The workflow fires when + # this label is added to any supported item type (issue, pull request, or + # discussion). + label_command: "example-value" + # Option 2: Label command configuration object with label name(s) and optional # event filtering. label_command: @@ -1282,22 +1341,6 @@ sandbox: # (optional) type: "awf" - # Custom command to replace the default AWF installation. For AWF: 'docker run - # my-custom-awf-image' - # (optional) - command: "example-value" - - # Additional arguments to append to the command (applies to AWF, for standard and - # custom commands) - # (optional) - args: [] - # Array of strings - - # Environment variables to set on the execution step (applies to AWF) - # (optional) - env: - {} - # Container mounts to add when using AWF. Each mount is specified using Docker # mount syntax: 'source:destination:mode' where mode can be 'ro' (read-only) or # 'rw' (read-write). Example: '/host/path:/container/path:ro' @@ -1384,28 +1427,6 @@ sandbox: # Specification v1.0.0: Only container-based execution is supported. # (optional) mcp: - # Container image for the MCP gateway executable (required) - container: "example-value" - - # Optional version/tag for the container image (e.g., 'latest', 'v1.0.0') - # (optional) - version: null - - # Optional custom entrypoint for the MCP gateway container. Overrides the - # container's default entrypoint. - # (optional) - entrypoint: "example-value" - - # Arguments for docker run - # (optional) - args: [] - # Array of strings - - # Arguments to add after the container image (container entrypoint arguments) - # (optional) - entrypointArgs: [] - # Array of strings - # Volume mounts for the MCP gateway container. Each mount is specified using # Docker mount syntax: 'source:destination:mode' where mode can be 'ro' # (read-only) or 'rw' (read-write). Example: '/host/data:/container/data:ro' @@ -1843,14 +1864,7 @@ tools: toolsets: [] # Array of Toolset name - # Volume mounts for the containerized GitHub MCP server (format: - # 'host:container:mode' where mode is 'ro' for read-only or 'rw' for read-write). - # Applies to local mode only. Example: '/data:/data:ro' - # (optional) - mounts: [] - # Array of Mount specification in format 'host:container:mode' - - # Guard policy: repository access configuration. Restricts which repositories the + # GitHub Tools repository access configuration. Restricts which repositories the # agent can access. Use 'all' to allow all repos, 'public' for public repositories # only, or an array of repository patterns (e.g., 'owner/repo', 'owner/*', # 'owner/prefix*'). @@ -2404,7 +2418,7 @@ safe-outputs: expires: "example-value" # Option 3: Set to false to explicitly disable expiration - expires: true + expires: false # If true, group issues as sub-issues under a parent issue. The workflow ID is # used as the group identifier. Parent issues are automatically created and @@ -2905,7 +2919,7 @@ safe-outputs: expires: "example-value" # Option 3: Set to false to explicitly disable expiration - expires: true + expires: false # GitHub token to use for this specific output type. Overrides global github-token # if specified. diff --git a/docs/src/content/docs/reference/sandbox.md b/docs/src/content/docs/reference/sandbox.md index 703b9177266..c23d2ee6069 100644 --- a/docs/src/content/docs/reference/sandbox.md +++ b/docs/src/content/docs/reference/sandbox.md @@ -93,8 +93,6 @@ AWF makes the host filesystem visible inside the container with appropriate perm | System paths | Read-only | `/usr`, `/opt`, `/bin`, `/lib` | | Docker socket | Hidden | `/var/run/docker.sock` (security) | -Custom mounts can still be added via `sandbox.agent.mounts` for paths that need different permissions. - #### Host Binaries All host binaries are available without explicit mounts: system utilities, `gh`, language runtimes, build tools, and anything installed via `apt-get` or setup actions. Verify with `which `. @@ -129,123 +127,10 @@ jobs: Use `go build` or `python3` - both are available. ``` -#### Custom AWF Configuration - -Use custom commands, arguments, and environment variables to replace the standard AWF installation with a custom setup: - -```yaml wrap -sandbox: - agent: - id: awf - command: "/usr/local/bin/custom-awf-wrapper" - args: - - "--custom-logging" - - "--debug-mode" - env: - AWF_CUSTOM_VAR: "custom_value" - DEBUG_LEVEL: "verbose" -``` - -##### Custom Mounts - -Add custom container mounts to make host paths available inside the AWF container: - -```yaml wrap -sandbox: - agent: - id: awf - mounts: - - "/host/data:/data:ro" - - "/usr/local/bin/custom-tool:/usr/local/bin/custom-tool:ro" - - "/tmp/cache:/cache:rw" -``` - -Mount syntax follows Docker's format: `source:destination:mode` - -- `source`: Path on the host system -- `destination`: Path inside the container -- `mode`: Either `ro` (read-only) or `rw` (read-write) - -Custom mounts are useful for: - -- Providing access to datasets or configuration files -- Making custom tools available in the container -- Sharing cache directories between host and container - -| Field | Type | Description | -|-------|------|-------------| -| `id` | `string` | Agent identifier: `awf` | -| `command` | `string` | Custom command to replace AWF binary installation | -| `args` | `string[]` | Additional arguments appended to the command | -| `env` | `object` | Environment variables set on the execution step | -| `mounts` | `string[]` | Container mounts using syntax `source:destination:mode` | - -When `command` is specified, the standard AWF installation is skipped and your custom command is used instead. - ## MCP Gateway The MCP Gateway routes all MCP server calls through a unified HTTP gateway, enabling centralized management, logging, and authentication for MCP tools. -### Configuration Options - -| Field | Type | Required | Description | -|-------|------|----------|-------------| -| `command` | `string` | No | Custom command to execute (mutually exclusive with `container`) | -| `container` | `string` | No | Container image for the MCP gateway (mutually exclusive with `command`) | -| `version` | `string` | No | Version tag for the container image | -| `port` | `integer` | No | HTTP server port (default: 8080) | -| `api-key` | `string` | No | API key for gateway authentication | -| `args` | `string[]` | No | Command/container execution arguments | -| `entrypointArgs` | `string[]` | No | Container entrypoint arguments (only valid with `container`) | -| `env` | `object` | No | Environment variables for the gateway | - -**Execution Modes** - -The MCP gateway supports two execution modes: - -1. **Custom command** - Use `command` field to specify a custom binary or script -2. **Container** - Use `container` field for Docker-based execution - -The `command` and `container` fields are mutually exclusive - only one can be specified. -You must specify either `command` or `container` to use the MCP gateway feature. - -When MCP gateway is configured: - -1. The gateway starts using the specified execution mode (command or container) -2. A health check verifies the gateway is ready -3. All MCP server configurations are transformed to route through the gateway -4. The gateway receives server configs via a configuration file - -### Example: Custom Command Mode - -```yaml wrap -features: - mcp-gateway: true - -sandbox: - mcp: - command: "/usr/local/bin/mcp-gateway" - args: ["--port", "9000", "--verbose"] - env: - LOG_LEVEL: "debug" -``` - -### Example: Container Mode - -```yaml wrap -features: - mcp-gateway: true - -sandbox: - mcp: - container: "ghcr.io/github/gh-aw-mcpg:latest" - args: ["--rm", "-i"] - entrypointArgs: ["--routed", "--listen", "0.0.0.0:8000", "--config-stdin"] - port: 8000 - env: - LOG_LEVEL: "info" -``` - ## Feature Flags Some sandbox features require feature flags: diff --git a/pkg/cli/add_integration_test.go b/pkg/cli/add_integration_test.go index 915e433b38e..d517cfc21af 100644 --- a/pkg/cli/add_integration_test.go +++ b/pkg/cli/add_integration_test.go @@ -979,10 +979,9 @@ func TestAddWorkflowWithDispatchWorkflowFromSharedImport(t *testing.T) { // workflow). The fetcher falls back to .yml when .md is 404, so both the main // workflow and the dispatch-workflow dependency are written to disk. // - // Note: pinned to a specific commit SHA from the branch that renamed - // allowed-url-domains → allowed-domains (schema change). Update to @main once - // that change has been merged. - workflowSpec := "github/gh-aw/.github/workflows/smoke-copilot.md@c93eec8" + // Note: pinned to a specific commit SHA that includes strict: false in smoke-copilot.md + // (required since sandbox.mcp.container is now blocked in strict mode). + workflowSpec := "github/gh-aw/.github/workflows/smoke-copilot.md@c40d97c" cmd := exec.Command(setup.binaryPath, "add", workflowSpec, "--verbose") cmd.Dir = setup.tempDir diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index ee3f6b08146..663fc6b7e35 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -2651,10 +2651,12 @@ }, "command": { "type": "string", + "x-internal": true, "description": "Custom command to replace the default AWF installation. For AWF: 'docker run my-custom-awf-image'" }, "args": { "type": "array", + "x-internal": true, "description": "Additional arguments to append to the command (applies to AWF, for standard and custom commands)", "items": { "type": "string" @@ -2662,6 +2664,7 @@ }, "env": { "type": "object", + "x-internal": true, "description": "Environment variables to set on the execution step (applies to AWF)", "additionalProperties": { "type": "string" @@ -2792,21 +2795,25 @@ "properties": { "container": { "type": "string", + "x-internal": true, "pattern": "^[a-zA-Z0-9][a-zA-Z0-9/:_.-]*$", "description": "Container image for the MCP gateway executable (required)" }, "version": { "type": ["string", "number"], + "x-internal": true, "description": "Optional version/tag for the container image (e.g., 'latest', 'v1.0.0')", "examples": ["latest", "v1.0.0"] }, "entrypoint": { "type": "string", + "x-internal": true, "description": "Optional custom entrypoint for the MCP gateway container. Overrides the container's default entrypoint.", "examples": ["/bin/bash", "/custom/start.sh", "/usr/bin/env"] }, "args": { "type": "array", + "x-internal": true, "items": { "type": "string" }, @@ -2814,6 +2821,7 @@ }, "entrypointArgs": { "type": "array", + "x-internal": true, "items": { "type": "string" }, @@ -2856,7 +2864,6 @@ "description": "Gateway domain for URL generation (default: 'host.docker.internal' when agent is enabled, 'localhost' when disabled)" } }, - "required": ["container"], "additionalProperties": false } }, diff --git a/pkg/workflow/compiler_orchestrator_engine.go b/pkg/workflow/compiler_orchestrator_engine.go index f1624176af5..8f2c4073578 100644 --- a/pkg/workflow/compiler_orchestrator_engine.go +++ b/pkg/workflow/compiler_orchestrator_engine.go @@ -294,6 +294,14 @@ func (c *Compiler) setupEngineAndImports(result *parser.FrontmatterResult, clean return nil, err } + // Validate that internal sandbox customization fields are not used in strict mode + orchestratorEngineLog.Printf("Validating strict sandbox customization (strict=%v)", c.strictMode) + if err := c.validateStrictSandboxCustomization(sandboxConfig); err != nil { + orchestratorEngineLog.Printf("Strict sandbox customization validation failed: %v", err) + c.strictMode = initialStrictModeForFirewall + return nil, err + } + // Check if the engine supports network restrictions when they are defined if err := c.checkNetworkSupport(agenticEngine, networkPermissions); err != nil { orchestratorEngineLog.Printf("Network support check failed: %v", err) diff --git a/pkg/workflow/mcp_gateway_entrypoint_mounts_e2e_test.go b/pkg/workflow/mcp_gateway_entrypoint_mounts_e2e_test.go index 44827c430c4..6212ca6beca 100644 --- a/pkg/workflow/mcp_gateway_entrypoint_mounts_e2e_test.go +++ b/pkg/workflow/mcp_gateway_entrypoint_mounts_e2e_test.go @@ -19,6 +19,7 @@ func TestMCPGatewayEntrypointE2E(t *testing.T) { markdown := `--- on: workflow_dispatch engine: copilot +strict: false sandbox: mcp: container: ghcr.io/github/gh-aw-mcpg @@ -74,6 +75,7 @@ func TestMCPGatewayMountsE2E(t *testing.T) { markdown := `--- on: workflow_dispatch engine: copilot +strict: false sandbox: mcp: container: ghcr.io/github/gh-aw-mcpg @@ -121,6 +123,7 @@ func TestMCPGatewayEntrypointAndMountsE2E(t *testing.T) { markdown := `--- on: workflow_dispatch engine: copilot +strict: false sandbox: mcp: container: ghcr.io/github/gh-aw-mcpg @@ -223,6 +226,7 @@ func TestMCPGatewayEntrypointWithSpecialCharacters(t *testing.T) { markdown := `--- on: workflow_dispatch engine: copilot +strict: false sandbox: mcp: container: ghcr.io/github/gh-aw-mcpg @@ -274,6 +278,7 @@ func TestMCPGatewayMountsWithVariables(t *testing.T) { markdown := `--- on: workflow_dispatch engine: copilot +strict: false sandbox: mcp: container: ghcr.io/github/gh-aw-mcpg diff --git a/pkg/workflow/mcp_setup_generator_test.go b/pkg/workflow/mcp_setup_generator_test.go index df3904f01f5..0680d32ae0e 100644 --- a/pkg/workflow/mcp_setup_generator_test.go +++ b/pkg/workflow/mcp_setup_generator_test.go @@ -245,6 +245,7 @@ func TestMCPGatewayVersionParsedFromSource(t *testing.T) { frontmatter: `--- on: issues engine: claude +strict: false sandbox: mcp: container: ghcr.io/github/gh-aw-mcpg @@ -281,6 +282,7 @@ Test workflow without sandbox.mcp.version specified.`, frontmatter: `--- on: issues engine: claude +strict: false sandbox: mcp: container: ghcr.io/github/gh-aw-mcpg @@ -301,6 +303,7 @@ Test workflow with version: latest.`, frontmatter: `--- on: issues engine: claude +strict: false sandbox: mcp: container: ghcr.io/github/gh-aw-mcpg @@ -321,6 +324,7 @@ Test workflow with version 1.2.3.`, frontmatter: `--- on: issues engine: claude +strict: false sandbox: mcp: container: ghcr.io/custom/gateway diff --git a/pkg/workflow/sandbox_custom_agent_test.go b/pkg/workflow/sandbox_custom_agent_test.go index f108b24ca5f..1a00ef9830b 100644 --- a/pkg/workflow/sandbox_custom_agent_test.go +++ b/pkg/workflow/sandbox_custom_agent_test.go @@ -254,6 +254,7 @@ sandbox: on: workflow_dispatch: engine: copilot +strict: false sandbox: agent: id: awf diff --git a/pkg/workflow/strict_mode_sandbox_validation.go b/pkg/workflow/strict_mode_sandbox_validation.go new file mode 100644 index 00000000000..46881adb6b0 --- /dev/null +++ b/pkg/workflow/strict_mode_sandbox_validation.go @@ -0,0 +1,72 @@ +// This file contains strict mode sandbox customization validation. +// +// It enforces that internal-only sandbox fields (AWF agent customization and +// MCP gateway customization) cannot be configured when strict mode is enabled. + +package workflow + +import "fmt" + +// internalSandboxFieldError returns a standardised strict-mode error for an +// internal sandbox field that must not be configured by end users. +func internalSandboxFieldError(fieldPath string) error { + return fmt.Errorf( + "strict mode: '%s' is not allowed because it is an internal implementation detail. "+ + "Remove '%s' or set 'strict: false' to disable strict mode. "+ + "See: https://github.github.com/gh-aw/reference/sandbox/", + fieldPath, fieldPath, + ) +} + +// validateStrictSandboxCustomization refuses internal sandbox customization fields in strict mode. +// +// The following fields are considered internal implementation/debugging details and +// are not allowed in strict mode: +// - sandbox.agent.command, sandbox.agent.args, sandbox.agent.env (AWF customization) +// - sandbox.mcp.container, sandbox.mcp.version, sandbox.mcp.entrypoint, +// sandbox.mcp.args, sandbox.mcp.entrypointArgs (MCP gateway customization) +func (c *Compiler) validateStrictSandboxCustomization(sandboxConfig *SandboxConfig) error { + if !c.strictMode { + strictModeValidationLog.Printf("Strict mode disabled, skipping sandbox customization validation") + return nil + } + + if sandboxConfig == nil { + return nil + } + + // Check agent sandbox internal fields + if agent := sandboxConfig.Agent; agent != nil { + if agent.Command != "" { + return internalSandboxFieldError("sandbox.agent.command") + } + if len(agent.Args) > 0 { + return internalSandboxFieldError("sandbox.agent.args") + } + if len(agent.Env) > 0 { + return internalSandboxFieldError("sandbox.agent.env") + } + } + + // Check MCP gateway internal fields + if mcp := sandboxConfig.MCP; mcp != nil { + if mcp.Container != "" { + return internalSandboxFieldError("sandbox.mcp.container") + } + if mcp.Version != "" { + return internalSandboxFieldError("sandbox.mcp.version") + } + if mcp.Entrypoint != "" { + return internalSandboxFieldError("sandbox.mcp.entrypoint") + } + if len(mcp.Args) > 0 { + return internalSandboxFieldError("sandbox.mcp.args") + } + if len(mcp.EntrypointArgs) > 0 { + return internalSandboxFieldError("sandbox.mcp.entrypointArgs") + } + } + + strictModeValidationLog.Printf("Sandbox customization validation passed") + return nil +} diff --git a/pkg/workflow/strict_mode_sandbox_validation_test.go b/pkg/workflow/strict_mode_sandbox_validation_test.go new file mode 100644 index 00000000000..73c07916593 --- /dev/null +++ b/pkg/workflow/strict_mode_sandbox_validation_test.go @@ -0,0 +1,184 @@ +//go:build !integration + +package workflow + +import ( + "strings" + "testing" +) + +// TestValidateStrictSandboxCustomization tests that internal sandbox fields are +// rejected in strict mode. +func TestValidateStrictSandboxCustomization(t *testing.T) { + tests := []struct { + name string + sandbox *SandboxConfig + expectError bool + errorMsg string + }{ + { + name: "nil sandbox config is allowed", + sandbox: nil, + expectError: false, + }, + { + name: "basic awf sandbox without customization is allowed", + sandbox: &SandboxConfig{ + Agent: &AgentSandboxConfig{ + ID: "awf", + }, + }, + expectError: false, + }, + { + name: "sandbox.agent.command is rejected", + sandbox: &SandboxConfig{ + Agent: &AgentSandboxConfig{ + ID: "awf", + Command: "/usr/local/bin/custom-awf", + }, + }, + expectError: true, + errorMsg: "strict mode: 'sandbox.agent.command' is not allowed because it is an internal implementation detail", + }, + { + name: "sandbox.agent.args is rejected", + sandbox: &SandboxConfig{ + Agent: &AgentSandboxConfig{ + ID: "awf", + Args: []string{"--debug"}, + }, + }, + expectError: true, + errorMsg: "strict mode: 'sandbox.agent.args' is not allowed because it is an internal implementation detail", + }, + { + name: "sandbox.agent.env is rejected", + sandbox: &SandboxConfig{ + Agent: &AgentSandboxConfig{ + ID: "awf", + Env: map[string]string{"DEBUG": "true"}, + }, + }, + expectError: true, + errorMsg: "strict mode: 'sandbox.agent.env' is not allowed because it is an internal implementation detail", + }, + { + name: "sandbox.mcp.container is rejected", + sandbox: &SandboxConfig{ + MCP: &MCPGatewayRuntimeConfig{ + Container: "ghcr.io/example/gateway", + }, + }, + expectError: true, + errorMsg: "strict mode: 'sandbox.mcp.container' is not allowed because it is an internal implementation detail", + }, + { + name: "sandbox.mcp.version is rejected", + sandbox: &SandboxConfig{ + MCP: &MCPGatewayRuntimeConfig{ + Version: "v1.0.0", + }, + }, + expectError: true, + errorMsg: "strict mode: 'sandbox.mcp.version' is not allowed because it is an internal implementation detail", + }, + { + name: "sandbox.mcp.entrypoint is rejected", + sandbox: &SandboxConfig{ + MCP: &MCPGatewayRuntimeConfig{ + Entrypoint: "/custom/start.sh", + }, + }, + expectError: true, + errorMsg: "strict mode: 'sandbox.mcp.entrypoint' is not allowed because it is an internal implementation detail", + }, + { + name: "sandbox.mcp.args is rejected", + sandbox: &SandboxConfig{ + MCP: &MCPGatewayRuntimeConfig{ + Args: []string{"--verbose"}, + }, + }, + expectError: true, + errorMsg: "strict mode: 'sandbox.mcp.args' is not allowed because it is an internal implementation detail", + }, + { + name: "sandbox.mcp.entrypointArgs is rejected", + sandbox: &SandboxConfig{ + MCP: &MCPGatewayRuntimeConfig{ + EntrypointArgs: []string{"--listen", "0.0.0.0:8000"}, + }, + }, + expectError: true, + errorMsg: "strict mode: 'sandbox.mcp.entrypointArgs' is not allowed because it is an internal implementation detail", + }, + { + name: "sandbox.mcp with only allowed fields is permitted", + sandbox: &SandboxConfig{ + MCP: &MCPGatewayRuntimeConfig{ + Port: 8080, + APIKey: "${{ secrets.MCP_KEY }}", + }, + }, + expectError: false, + }, + { + name: "sandbox.agent.mounts is allowed (not an internal field)", + sandbox: &SandboxConfig{ + Agent: &AgentSandboxConfig{ + ID: "awf", + Mounts: []string{"/host/data:/data:ro"}, + }, + }, + expectError: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + compiler := NewCompiler() + compiler.strictMode = true + + err := compiler.validateStrictSandboxCustomization(tt.sandbox) + + if tt.expectError && err == nil { + t.Error("Expected validation to fail but it succeeded") + } else if !tt.expectError && err != nil { + t.Errorf("Expected validation to succeed but it failed: %v", err) + } else if tt.expectError && err != nil && tt.errorMsg != "" { + if !strings.Contains(err.Error(), tt.errorMsg) { + t.Errorf("Expected error containing %q, got %q", tt.errorMsg, err.Error()) + } + } + }) + } +} + +// TestValidateStrictSandboxCustomizationNonStrictMode verifies that internal fields +// are not rejected when strict mode is disabled. +func TestValidateStrictSandboxCustomizationNonStrictMode(t *testing.T) { + compiler := NewCompiler() + compiler.strictMode = false + + sandbox := &SandboxConfig{ + Agent: &AgentSandboxConfig{ + ID: "awf", + Command: "/custom/awf", + Args: []string{"--debug"}, + Env: map[string]string{"LOG": "verbose"}, + }, + MCP: &MCPGatewayRuntimeConfig{ + Container: "ghcr.io/example/gateway", + Version: "latest", + Entrypoint: "/bin/sh", + Args: []string{"--rm"}, + EntrypointArgs: []string{"--listen", "0.0.0.0"}, + }, + } + + err := compiler.validateStrictSandboxCustomization(sandbox) + if err != nil { + t.Errorf("Expected non-strict mode to allow all sandbox fields, got error: %v", err) + } +} diff --git a/scripts/generate-schema-docs.js b/scripts/generate-schema-docs.js index 6c113c44d44..18f3dd86087 100755 --- a/scripts/generate-schema-docs.js +++ b/scripts/generate-schema-docs.js @@ -188,7 +188,8 @@ function generateVariants(prop, propName, indent = 0, required = []) { lines.push(formatComment(`Array items: ${variant.items.description || variant.items.type}`, indent + 2)); } } else if (variant.type === "boolean") { - lines.push(`${indentStr}${propName}: true`); + const boolExample = getExampleValue(variant, propName); + lines.push(`${indentStr}${propName}: ${boolExample}`); } else if (variant.type === "null") { lines.push(`${indentStr}${propName}: null`); } else if (variant.type === "number" || variant.type === "integer") { @@ -274,12 +275,17 @@ function generateProperties(properties, required = [], indent = 0) { return; } + // Skip internal-only properties (marked with "x-internal": true in the schema). + // These are implementation/debugging details not intended for end users. + // Required fields are still rendered so that generated YAML examples remain schema-valid. + const isRequired = required.includes(propName); + if (resolvedProp["x-internal"] === true && !isRequired) { + return; + } if (addedCount > 0) { lines.push(""); } - const isRequired = required.includes(propName); - // Check if property has variants if (resolvedProp.oneOf || resolvedProp.anyOf) { lines.push(generateVariants(resolvedProp, propName, indent, required));