From 94286e87fa754cf5598ced6362517d9593f1d42f Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Sat, 4 Apr 2026 10:26:05 -0700 Subject: [PATCH 1/3] fix: use gh aw --version to check CLI availability The setup action installs gh-aw as 'gh aw' (not 'github/gh-aw'), so grep -q 'github/gh-aw' on extension list misses it and the else branch fails with 'already installed'. Use a direct version check instead. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../workflows/copilot-token-audit.lock.yml | 34 +++++++++---------- .github/workflows/copilot-token-audit.md | 4 +-- .../copilot-token-optimizer.lock.yml | 34 +++++++++---------- .github/workflows/copilot-token-optimizer.md | 4 +-- 4 files changed, 34 insertions(+), 42 deletions(-) diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml index b6211539e1a..1dfcf6fac7c 100644 --- a/.github/workflows/copilot-token-audit.lock.yml +++ b/.github/workflows/copilot-token-audit.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"98b2c43eb0329c16327d3d530267797b8feb0a46a34b09fc5630cabb2f79c5b7","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"95d19131c6a686df72e2ad561b8d0760a8d7e4b53d3e216b7e877b6ce203c9fa","strict":true,"agent_id":"copilot"} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -153,9 +153,9 @@ jobs: run: | bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { - cat << 'GH_AW_PROMPT_58a00121d60b1539_EOF' + cat << 'GH_AW_PROMPT_a8a1b827f9cd65e2_EOF' - GH_AW_PROMPT_58a00121d60b1539_EOF + GH_AW_PROMPT_a8a1b827f9cd65e2_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" @@ -163,7 +163,7 @@ jobs: cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/repo_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_58a00121d60b1539_EOF' + cat << 'GH_AW_PROMPT_a8a1b827f9cd65e2_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -197,14 +197,14 @@ jobs: {{/if}} - GH_AW_PROMPT_58a00121d60b1539_EOF + GH_AW_PROMPT_a8a1b827f9cd65e2_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_58a00121d60b1539_EOF' + cat << 'GH_AW_PROMPT_a8a1b827f9cd65e2_EOF' {{#runtime-import .github/workflows/shared/reporting.md}} {{#runtime-import .github/workflows/shared/python-dataviz.md}} {{#runtime-import .github/workflows/copilot-token-audit.md}} - GH_AW_PROMPT_58a00121d60b1539_EOF + GH_AW_PROMPT_a8a1b827f9cd65e2_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -401,9 +401,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Install gh-aw CLI run: | - if gh extension list | grep -q "github/gh-aw"; then - gh extension upgrade gh-aw || true - else + if ! gh aw --version 2>/dev/null; then gh extension install github/gh-aw fi gh aw --version @@ -510,12 +508,12 @@ jobs: mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_c30dea8b77533504_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_d7f52a36236c9caa_EOF' {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[copilot-token-audit] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} - GH_AW_SAFE_OUTPUTS_CONFIG_c30dea8b77533504_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_d7f52a36236c9caa_EOF - name: Write Safe Outputs Tools run: | - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_85b5d925931c7354_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_f84bc421aa5e69da_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-token-audit] \". Discussions will be created in category \"audits\".", @@ -524,8 +522,8 @@ jobs: "repo_params": {}, "dynamic_tools": [] } - GH_AW_SAFE_OUTPUTS_TOOLS_META_85b5d925931c7354_EOF - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_a4a791c1bf13b823_EOF' + GH_AW_SAFE_OUTPUTS_TOOLS_META_f84bc421aa5e69da_EOF + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_2f4fef575e4c9580_EOF' { "create_discussion": { "defaultMax": 1, @@ -620,7 +618,7 @@ jobs: } } } - GH_AW_SAFE_OUTPUTS_VALIDATION_a4a791c1bf13b823_EOF + GH_AW_SAFE_OUTPUTS_VALIDATION_2f4fef575e4c9580_EOF node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config @@ -694,7 +692,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.12' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_e77bc9e658c505d1_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_17da5dc94a28e379_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -754,7 +752,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_e77bc9e658c505d1_EOF + GH_AW_MCP_CONFIG_17da5dc94a28e379_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: diff --git a/.github/workflows/copilot-token-audit.md b/.github/workflows/copilot-token-audit.md index 6bde5efc64d..5a2a6cb64e2 100644 --- a/.github/workflows/copilot-token-audit.md +++ b/.github/workflows/copilot-token-audit.md @@ -20,9 +20,7 @@ steps: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - if gh extension list | grep -q "github/gh-aw"; then - gh extension upgrade gh-aw || true - else + if ! gh aw --version 2>/dev/null; then gh extension install github/gh-aw fi gh aw --version diff --git a/.github/workflows/copilot-token-optimizer.lock.yml b/.github/workflows/copilot-token-optimizer.lock.yml index 58794fad142..ee696a27e87 100644 --- a/.github/workflows/copilot-token-optimizer.lock.yml +++ b/.github/workflows/copilot-token-optimizer.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6c0be3943af1605d9debf1acb7d9a8652afa2438ec55c1c3685d325da6fc34c8","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"299abe30bf017fadef78502f9a89a8569fc3975357d07b22ffa095dd436c5ad8","strict":true,"agent_id":"copilot"} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -149,16 +149,16 @@ jobs: run: | bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { - cat << 'GH_AW_PROMPT_3016a484a9e1c1a1_EOF' + cat << 'GH_AW_PROMPT_257d307a09b47027_EOF' - GH_AW_PROMPT_3016a484a9e1c1a1_EOF + GH_AW_PROMPT_257d307a09b47027_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md" cat "${RUNNER_TEMP}/gh-aw/prompts/repo_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_3016a484a9e1c1a1_EOF' + cat << 'GH_AW_PROMPT_257d307a09b47027_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -190,13 +190,13 @@ jobs: {{/if}} - GH_AW_PROMPT_3016a484a9e1c1a1_EOF + GH_AW_PROMPT_257d307a09b47027_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_3016a484a9e1c1a1_EOF' + cat << 'GH_AW_PROMPT_257d307a09b47027_EOF' {{#runtime-import .github/workflows/shared/reporting.md}} {{#runtime-import .github/workflows/copilot-token-optimizer.md}} - GH_AW_PROMPT_3016a484a9e1c1a1_EOF + GH_AW_PROMPT_257d307a09b47027_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -361,9 +361,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Install gh-aw CLI run: |- - if gh extension list | grep -q "github/gh-aw"; then - gh extension upgrade gh-aw || true - else + if ! gh aw --version 2>/dev/null; then gh extension install github/gh-aw fi gh aw --version @@ -451,12 +449,12 @@ jobs: mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_74130b46a97c194e_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_8e2e0cf210ab77ad_EOF' {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":168,"fallback_to_issue":true,"max":1,"title_prefix":"[copilot-token-optimizer] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} - GH_AW_SAFE_OUTPUTS_CONFIG_74130b46a97c194e_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_8e2e0cf210ab77ad_EOF - name: Write Safe Outputs Tools run: | - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_0a66531de00e3046_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_b438a1e1f1431a5b_EOF' { "description_suffixes": { "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-token-optimizer] \". Discussions will be created in category \"audits\"." @@ -464,8 +462,8 @@ jobs: "repo_params": {}, "dynamic_tools": [] } - GH_AW_SAFE_OUTPUTS_TOOLS_META_0a66531de00e3046_EOF - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_9961baf6f509ded5_EOF' + GH_AW_SAFE_OUTPUTS_TOOLS_META_b438a1e1f1431a5b_EOF + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_133a63e75071215d_EOF' { "create_discussion": { "defaultMax": 1, @@ -551,7 +549,7 @@ jobs: } } } - GH_AW_SAFE_OUTPUTS_VALIDATION_9961baf6f509ded5_EOF + GH_AW_SAFE_OUTPUTS_VALIDATION_133a63e75071215d_EOF node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config @@ -622,7 +620,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.12' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_2153288600fbf2ef_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_c3c23568ba7976db_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -682,7 +680,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_2153288600fbf2ef_EOF + GH_AW_MCP_CONFIG_c3c23568ba7976db_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: diff --git a/.github/workflows/copilot-token-optimizer.md b/.github/workflows/copilot-token-optimizer.md index 61f5ad6a4ef..629f3f71821 100644 --- a/.github/workflows/copilot-token-optimizer.md +++ b/.github/workflows/copilot-token-optimizer.md @@ -22,9 +22,7 @@ steps: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - if gh extension list | grep -q "github/gh-aw"; then - gh extension upgrade gh-aw || true - else + if ! gh aw --version 2>/dev/null; then gh extension install github/gh-aw fi gh aw --version From 15cfa92e6da7f60f153789af4a57eacff332f91f Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Sat, 4 Apr 2026 10:30:13 -0700 Subject: [PATCH 2/3] Update .github/workflows/copilot-token-audit.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/copilot-token-audit.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/copilot-token-audit.md b/.github/workflows/copilot-token-audit.md index 5a2a6cb64e2..4a1ccfedf30 100644 --- a/.github/workflows/copilot-token-audit.md +++ b/.github/workflows/copilot-token-audit.md @@ -20,7 +20,7 @@ steps: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - if ! gh aw --version 2>/dev/null; then + if ! gh aw --version >/dev/null 2>&1; then gh extension install github/gh-aw fi gh aw --version From 31b7b84d211bb8be46d675649cc5ac09c21094e9 Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Sat, 4 Apr 2026 10:30:21 -0700 Subject: [PATCH 3/3] Update .github/workflows/copilot-token-optimizer.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/copilot-token-optimizer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/copilot-token-optimizer.md b/.github/workflows/copilot-token-optimizer.md index 629f3f71821..68bf579a1b1 100644 --- a/.github/workflows/copilot-token-optimizer.md +++ b/.github/workflows/copilot-token-optimizer.md @@ -22,7 +22,7 @@ steps: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - if ! gh aw --version 2>/dev/null; then + if ! gh aw --version >/dev/null 2>&1; then gh extension install github/gh-aw fi gh aw --version