From 1850219a8ee17716b2f8be794d8e7b684dd7c096 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Apr 2026 06:16:52 +0000 Subject: [PATCH 1/6] feat: add --runner-guard arg to compile and update static-analysis-report workflow - Add RunnerGuardImage constant (ghcr.io/vigilant-llc/runner-guard:v3.0.1) - Add RunnerGuard bool to CompileConfig - Create runner_guard.go with Docker-based implementation (mirrors poutine.go) - Update CheckAndPrepareDockerImages to accept useRunnerGuard param - Add runBatchRunnerGuard/RunRunnerGuardOnDirectory to compile_batch_operations - Wire runner-guard into compile_pipeline.go (both compileSpecificFiles and compileAllFilesInDirectory) - Fix lockFilesForDirTools to allow --poutine/--runner-guard without --zizmor - Add --runner-guard flag to cmd/gh-aw/main.go - Add runner-guard field to MCP compile tool schema - Update static-analysis-report.md: use Docker for runner_guard job and add --runner-guard to compile step Agent-Logs-Url: https://github.com/github/gh-aw/sessions/40d94ea5-12ef-45f4-8336-71b9904b8ff4 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../workflows/static-analysis-report.lock.yml | 47 ++-- .github/workflows/static-analysis-report.md | 29 +- cmd/gh-aw/main.go | 3 + pkg/cli/compile_batch_operations.go | 23 ++ pkg/cli/compile_config.go | 1 + pkg/cli/compile_pipeline.go | 34 ++- pkg/cli/docker_images.go | 17 +- pkg/cli/docker_images_test.go | 28 +- pkg/cli/mcp_tools_readonly.go | 24 +- pkg/cli/runner_guard.go | 251 ++++++++++++++++++ 10 files changed, 390 insertions(+), 67 deletions(-) create mode 100644 pkg/cli/runner_guard.go diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index b693efebbd0..c2c5b2a5834 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"869b3b7da437d108347555f117c98d89b01ab2ed5a2be53b6a2742578863909b","strict":true,"agent_id":"claude"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"776e47c264994d11ac6fb58d89f95fc97de8f3ee8326d0c07ef48fdbb9274157","strict":true,"agent_id":"claude"} # gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) @@ -161,16 +161,16 @@ jobs: run: | bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { - cat << 'GH_AW_PROMPT_c31a1f75b7e5048e_EOF' + cat << 'GH_AW_PROMPT_368d3ccaf181f2f0_EOF' - GH_AW_PROMPT_c31a1f75b7e5048e_EOF + GH_AW_PROMPT_368d3ccaf181f2f0_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md" cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_c31a1f75b7e5048e_EOF' + cat << 'GH_AW_PROMPT_368d3ccaf181f2f0_EOF' Tools: create_issue(max:3), create_discussion, missing_tool, missing_data, noop @@ -202,13 +202,13 @@ jobs: {{/if}} - GH_AW_PROMPT_c31a1f75b7e5048e_EOF + GH_AW_PROMPT_368d3ccaf181f2f0_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_c31a1f75b7e5048e_EOF' + cat << 'GH_AW_PROMPT_368d3ccaf181f2f0_EOF' {{#runtime-import .github/workflows/shared/reporting.md}} {{#runtime-import .github/workflows/static-analysis-report.md}} - GH_AW_PROMPT_c31a1f75b7e5048e_EOF + GH_AW_PROMPT_368d3ccaf181f2f0_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -385,11 +385,11 @@ jobs: fi gh aw --version - name: Pull static analysis Docker images - run: "set -e\necho \"Pulling Docker images for static analysis tools...\"\n\n# Pull zizmor Docker image\necho \"Pulling zizmor image...\"\ndocker pull ghcr.io/zizmorcore/zizmor:latest\n\n# Pull poutine Docker image\necho \"Pulling poutine image...\"\ndocker pull ghcr.io/boostsecurityio/poutine:latest\n\necho \"All static analysis Docker images pulled successfully\"\n" + run: "set -e\necho \"Pulling Docker images for static analysis tools...\"\n\n# Pull zizmor Docker image\necho \"Pulling zizmor image...\"\ndocker pull ghcr.io/zizmorcore/zizmor:latest\n\n# Pull poutine Docker image\necho \"Pulling poutine image...\"\ndocker pull ghcr.io/boostsecurityio/poutine:latest\n\n# Pull runner-guard Docker image\necho \"Pulling runner-guard image...\"\ndocker pull ghcr.io/vigilant-llc/runner-guard:v3.0.1\n\necho \"All static analysis Docker images pulled successfully\"\n" - name: Verify static analysis tools - run: "set -e\necho \"Verifying static analysis tools are available...\"\n\n# Verify zizmor\necho \"Testing zizmor...\"\ndocker run --rm ghcr.io/zizmorcore/zizmor:latest --version || echo \"Warning: zizmor version check failed\"\n\n# Verify poutine\necho \"Testing poutine...\"\ndocker run --rm ghcr.io/boostsecurityio/poutine:latest --version || echo \"Warning: poutine version check failed\"\n\necho \"Static analysis tools verification complete\"\n" + run: "set -e\necho \"Verifying static analysis tools are available...\"\n\n# Verify zizmor\necho \"Testing zizmor...\"\ndocker run --rm ghcr.io/zizmorcore/zizmor:latest --version || echo \"Warning: zizmor version check failed\"\n\n# Verify poutine\necho \"Testing poutine...\"\ndocker run --rm ghcr.io/boostsecurityio/poutine:latest --version || echo \"Warning: poutine version check failed\"\n\n# Verify runner-guard\necho \"Testing runner-guard...\"\ndocker run --rm ghcr.io/vigilant-llc/runner-guard:v3.0.1 --version || echo \"Warning: runner-guard version check failed\"\n\necho \"Static analysis tools verification complete\"\n" - name: Run compile with security tools - run: "set -e\necho \"Running gh aw compile with security tools to download Docker images...\"\n\n# Run compile with all security scanner flags to download Docker images\n# Store the output in a file for inspection\ngh aw compile --zizmor --poutine --actionlint 2>&1 | tee /tmp/gh-aw/compile-output.txt\n\necho \"Compile with security tools completed\"\necho \"Output saved to /tmp/gh-aw/compile-output.txt\"\n" + run: "set -e\necho \"Running gh aw compile with security tools to download Docker images...\"\n\n# Run compile with all security scanner flags to download Docker images\n# Store the output in a file for inspection\ngh aw compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/compile-output.txt\n\necho \"Compile with security tools completed\"\necho \"Output saved to /tmp/gh-aw/compile-output.txt\"\n" - name: Download runner-guard results uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -488,9 +488,9 @@ jobs: mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_e6b1577951691eef_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_4c804d91fec07836_EOF' {"create_discussion":{"category":"security","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1},"create_issue":{"expires":168,"labels":["security","automation"],"max":3,"title_prefix":"[runner-guard] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_e6b1577951691eef_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_4c804d91fec07836_EOF - name: Write Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -712,7 +712,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.16' - cat << GH_AW_MCP_CONFIG_a00060c74c91676a_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_36fd9c8e2994a1c4_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -770,7 +770,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_a00060c74c91676a_EOF + GH_AW_MCP_CONFIG_36fd9c8e2994a1c4_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -1352,19 +1352,16 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - name: Install runner-guard - run: go install github.com/Vigilant-LLC/runner-guard/v2/cmd/runner-guard@v2.6.0 - name: Run runner-guard scan run: | - RUNNER_GUARD="$(go env GOPATH)/bin/runner-guard" - if [ ! -x "$RUNNER_GUARD" ]; then - echo '{"findings":[],"error":"runner-guard binary not found after install"}' > /tmp/runner-guard-results.json - else - "$RUNNER_GUARD" scan . --format json > /tmp/runner-guard-results.json 2>/tmp/runner-guard-stderr.log || true - # If output is empty or not valid JSON, write empty result - if ! python3 -c "import json,sys; json.load(open('/tmp/runner-guard-results.json'))" 2>/dev/null; then - echo '{"findings":[],"stderr":"'"$(cat /tmp/runner-guard-stderr.log | head -20 | tr '"' "'")"'"}' > /tmp/runner-guard-results.json - fi + docker run --rm \ + -v "$(pwd):/workdir" \ + -w /workdir \ + ghcr.io/vigilant-llc/runner-guard:v3.0.1 \ + scan . --format json > /tmp/runner-guard-results.json 2>/tmp/runner-guard-stderr.log || true + # If output is empty or not valid JSON, write empty result + if ! python3 -c "import json,sys; json.load(open('/tmp/runner-guard-results.json'))" 2>/dev/null; then + echo '{"findings":[],"stderr":"'"$(cat /tmp/runner-guard-stderr.log | head -20 | tr '"' "'")"'"}' > /tmp/runner-guard-results.json fi - name: Upload runner-guard results if: always() diff --git a/.github/workflows/static-analysis-report.md b/.github/workflows/static-analysis-report.md index d8614b3a115..eb7f73bf3ae 100644 --- a/.github/workflows/static-analysis-report.md +++ b/.github/workflows/static-analysis-report.md @@ -42,19 +42,16 @@ jobs: uses: actions/checkout@v6.0.2 with: persist-credentials: false - - name: Install runner-guard - run: go install github.com/Vigilant-LLC/runner-guard/v2/cmd/runner-guard@v2.6.0 - name: Run runner-guard scan run: | - RUNNER_GUARD="$(go env GOPATH)/bin/runner-guard" - if [ ! -x "$RUNNER_GUARD" ]; then - echo '{"findings":[],"error":"runner-guard binary not found after install"}' > /tmp/runner-guard-results.json - else - "$RUNNER_GUARD" scan . --format json > /tmp/runner-guard-results.json 2>/tmp/runner-guard-stderr.log || true - # If output is empty or not valid JSON, write empty result - if ! python3 -c "import json,sys; json.load(open('/tmp/runner-guard-results.json'))" 2>/dev/null; then - echo '{"findings":[],"stderr":"'"$(cat /tmp/runner-guard-stderr.log | head -20 | tr '"' "'")"'"}' > /tmp/runner-guard-results.json - fi + docker run --rm \ + -v "$(pwd):/workdir" \ + -w /workdir \ + ghcr.io/vigilant-llc/runner-guard:v3.0.1 \ + scan . --format json > /tmp/runner-guard-results.json 2>/tmp/runner-guard-stderr.log || true + # If output is empty or not valid JSON, write empty result + if ! python3 -c "import json,sys; json.load(open('/tmp/runner-guard-results.json'))" 2>/dev/null; then + echo '{"findings":[],"stderr":"'"$(cat /tmp/runner-guard-stderr.log | head -20 | tr '"' "'")"'"}' > /tmp/runner-guard-results.json fi - name: Upload runner-guard results if: always() @@ -87,6 +84,10 @@ steps: echo "Pulling poutine image..." docker pull ghcr.io/boostsecurityio/poutine:latest + # Pull runner-guard Docker image + echo "Pulling runner-guard image..." + docker pull ghcr.io/vigilant-llc/runner-guard:v3.0.1 + echo "All static analysis Docker images pulled successfully" - name: Verify static analysis tools run: | @@ -101,6 +102,10 @@ steps: echo "Testing poutine..." docker run --rm ghcr.io/boostsecurityio/poutine:latest --version || echo "Warning: poutine version check failed" + # Verify runner-guard + echo "Testing runner-guard..." + docker run --rm ghcr.io/vigilant-llc/runner-guard:v3.0.1 --version || echo "Warning: runner-guard version check failed" + echo "Static analysis tools verification complete" - name: Run compile with security tools run: | @@ -109,7 +114,7 @@ steps: # Run compile with all security scanner flags to download Docker images # Store the output in a file for inspection - gh aw compile --zizmor --poutine --actionlint 2>&1 | tee /tmp/gh-aw/compile-output.txt + gh aw compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/compile-output.txt echo "Compile with security tools completed" echo "Output saved to /tmp/gh-aw/compile-output.txt" diff --git a/cmd/gh-aw/main.go b/cmd/gh-aw/main.go index 0c075f501c8..b11e8977025 100644 --- a/cmd/gh-aw/main.go +++ b/cmd/gh-aw/main.go @@ -276,6 +276,7 @@ Examples: zizmor, _ := cmd.Flags().GetBool("zizmor") poutine, _ := cmd.Flags().GetBool("poutine") actionlint, _ := cmd.Flags().GetBool("actionlint") + runnerGuard, _ := cmd.Flags().GetBool("runner-guard") jsonOutput, _ := cmd.Flags().GetBool("json") fix, _ := cmd.Flags().GetBool("fix") stats, _ := cmd.Flags().GetBool("stats") @@ -333,6 +334,7 @@ Examples: Zizmor: zizmor, Poutine: poutine, Actionlint: actionlint, + RunnerGuard: runnerGuard, JSONOutput: jsonOutput, Stats: stats, FailFast: failFast, @@ -679,6 +681,7 @@ Use "` + string(constants.CLIExtensionPrefix) + ` help all" to show help for all compileCmd.Flags().Bool("zizmor", false, "Run zizmor security scanner on generated .lock.yml files") compileCmd.Flags().Bool("poutine", false, "Run poutine security scanner on generated .lock.yml files") compileCmd.Flags().Bool("actionlint", false, "Run actionlint linter on generated .lock.yml files") + compileCmd.Flags().Bool("runner-guard", false, "Run runner-guard taint analysis scanner on generated .lock.yml files (uses Docker image "+cli.RunnerGuardImage+")") compileCmd.Flags().Bool("fix", false, "Apply automatic codemod fixes to workflows before compiling") compileCmd.Flags().BoolP("json", "j", false, "Output results in JSON format") compileCmd.Flags().Bool("stats", false, "Display statistics table sorted by workflow file size (shows jobs, steps, scripts, and shells)") diff --git a/pkg/cli/compile_batch_operations.go b/pkg/cli/compile_batch_operations.go index ab22cfe8a29..3e68509a346 100644 --- a/pkg/cli/compile_batch_operations.go +++ b/pkg/cli/compile_batch_operations.go @@ -61,6 +61,12 @@ func RunPoutineOnDirectory(workflowDir string, verbose bool, strict bool) error return runPoutineOnDirectory(workflowDir, verbose, strict) } +// RunRunnerGuardOnDirectory runs runner-guard taint analysis scanner once on a directory. +// Runner-guard scans all workflows in a directory, so it only needs to run once. +func RunRunnerGuardOnDirectory(workflowDir string, verbose bool, strict bool) error { + return runRunnerGuardOnDirectory(workflowDir, verbose, strict) +} + // runBatchLockFileTool runs a batch tool on lock files with uniform error handling func runBatchLockFileTool(toolName string, lockFiles []string, verbose bool, strict bool, runner func([]string, bool, bool) error) error { if len(lockFiles) == 0 { @@ -110,6 +116,23 @@ func runBatchPoutine(workflowDir string, verbose bool, strict bool) error { return nil } +// runBatchRunnerGuard runs runner-guard taint analysis scanner once for the entire directory +func runBatchRunnerGuard(workflowDir string, verbose bool, strict bool) error { + compileBatchOperationsLog.Printf("Running batch runner-guard on directory: %s", workflowDir) + + if err := RunRunnerGuardOnDirectory(workflowDir, verbose, strict); err != nil { + if strict { + return fmt.Errorf("runner-guard taint analysis failed: %w", err) + } + // In non-strict mode, runner-guard errors are warnings + if verbose { + fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("runner-guard warnings: %v", err))) + } + } + + return nil +} + // purgeOrphanedLockFiles removes orphaned .lock.yml files // These are lock files that exist but don't have a corresponding .md file func purgeOrphanedLockFiles(workflowsDir string, expectedLockFiles []string, verbose bool) error { diff --git a/pkg/cli/compile_config.go b/pkg/cli/compile_config.go index 26576bef19c..c0baf4236d5 100644 --- a/pkg/cli/compile_config.go +++ b/pkg/cli/compile_config.go @@ -21,6 +21,7 @@ type CompileConfig struct { Zizmor bool // Run zizmor security scanner on generated .lock.yml files Poutine bool // Run poutine security scanner on generated .lock.yml files Actionlint bool // Run actionlint linter on generated .lock.yml files + RunnerGuard bool // Run runner-guard taint analysis scanner on generated .lock.yml files JSONOutput bool // Output validation results as JSON ActionMode string // Action script inlining mode: inline, dev, or release ActionTag string // Override action SHA or tag for actions/setup (overrides action-mode to release) diff --git a/pkg/cli/compile_pipeline.go b/pkg/cli/compile_pipeline.go index a3fbd3c13b5..9121b88c6a0 100644 --- a/pkg/cli/compile_pipeline.go +++ b/pkg/cli/compile_pipeline.go @@ -58,6 +58,7 @@ func compileSpecificFiles( var errorCount int var lockFilesForActionlint []string var lockFilesForZizmor []string + var lockFilesForDirTools []string // lock files for directory-based tools (poutine, runner-guard) // Compile each specified file for _, markdownFile := range config.MarkdownFiles { @@ -122,6 +123,9 @@ func compileSpecificFiles( if config.Zizmor { lockFilesForZizmor = append(lockFilesForZizmor, fileResult.lockFile) } + if config.Poutine || config.RunnerGuard { + lockFilesForDirTools = append(lockFilesForDirTools, fileResult.lockFile) + } } } } @@ -149,8 +153,8 @@ func compileSpecificFiles( // Run batch poutine once on the workflow directory // Get the directory from the first lock file (all should be in same directory) - if config.Poutine && !config.NoEmit && len(lockFilesForZizmor) > 0 { - workflowDir := filepath.Dir(lockFilesForZizmor[0]) + if config.Poutine && !config.NoEmit && len(lockFilesForDirTools) > 0 { + workflowDir := filepath.Dir(lockFilesForDirTools[0]) if err := runBatchPoutine(workflowDir, config.Verbose && !config.JSONOutput, config.Strict); err != nil { if config.Strict { return workflowDataList, err @@ -158,6 +162,17 @@ func compileSpecificFiles( } } + // Run batch runner-guard once on the workflow directory + // Get the directory from the first lock file (all should be in same directory) + if config.RunnerGuard && !config.NoEmit && len(lockFilesForDirTools) > 0 { + workflowDir := filepath.Dir(lockFilesForDirTools[0]) + if err := runBatchRunnerGuard(workflowDir, config.Verbose && !config.JSONOutput, config.Strict); err != nil { + if config.Strict { + return workflowDataList, err + } + } + } + // Get warning count from compiler stats.Warnings = compiler.GetWarningCount() @@ -247,6 +262,7 @@ func compileAllFilesInDirectory( var errorCount int var lockFilesForActionlint []string var lockFilesForZizmor []string + var lockFilesForDirTools []string // lock files for directory-based tools (poutine, runner-guard) for _, file := range mdFiles { stats.Total++ @@ -280,6 +296,9 @@ func compileAllFilesInDirectory( if config.Zizmor { lockFilesForZizmor = append(lockFilesForZizmor, fileResult.lockFile) } + if config.Poutine || config.RunnerGuard { + lockFilesForDirTools = append(lockFilesForDirTools, fileResult.lockFile) + } } } } @@ -306,7 +325,7 @@ func compileAllFilesInDirectory( } // Run batch poutine once on the workflow directory - if config.Poutine && !config.NoEmit && len(lockFilesForZizmor) > 0 { + if config.Poutine && !config.NoEmit && len(lockFilesForDirTools) > 0 { if err := runBatchPoutine(workflowsDir, config.Verbose && !config.JSONOutput, config.Strict); err != nil { if config.Strict { return workflowDataList, err @@ -314,6 +333,15 @@ func compileAllFilesInDirectory( } } + // Run batch runner-guard once on the workflow directory + if config.RunnerGuard && !config.NoEmit && len(lockFilesForDirTools) > 0 { + if err := runBatchRunnerGuard(workflowsDir, config.Verbose && !config.JSONOutput, config.Strict); err != nil { + if config.Strict { + return workflowDataList, err + } + } + } + // Get warning count from compiler stats.Warnings = compiler.GetWarningCount() diff --git a/pkg/cli/docker_images.go b/pkg/cli/docker_images.go index cb42f9eb914..ea911f2dcd7 100644 --- a/pkg/cli/docker_images.go +++ b/pkg/cli/docker_images.go @@ -16,9 +16,10 @@ var dockerImagesLog = logger.New("cli:docker_images") // DockerImages defines the Docker images used by the compile tool's static analysis scanners const ( - ZizmorImage = "ghcr.io/zizmorcore/zizmor:latest" - PoutineImage = "ghcr.io/boostsecurityio/poutine:latest" - ActionlintImage = "rhysd/actionlint:latest" + ZizmorImage = "ghcr.io/zizmorcore/zizmor:latest" + PoutineImage = "ghcr.io/boostsecurityio/poutine:latest" + ActionlintImage = "rhysd/actionlint:latest" + RunnerGuardImage = "ghcr.io/vigilant-llc/runner-guard:v3.0.1" ) // dockerPullState tracks the state of docker pull operations @@ -191,9 +192,9 @@ func StartDockerImageDownload(ctx context.Context, image string) bool { // Returns: // - nil if all required images are available // - error if Docker is unavailable or images are downloading/need to be downloaded -func CheckAndPrepareDockerImages(ctx context.Context, useZizmor, usePoutine, useActionlint bool) error { +func CheckAndPrepareDockerImages(ctx context.Context, useZizmor, usePoutine, useActionlint, useRunnerGuard bool) error { // If no tools requested, nothing to do - if !useZizmor && !usePoutine && !useActionlint { + if !useZizmor && !usePoutine && !useActionlint && !useRunnerGuard { return nil } @@ -216,6 +217,11 @@ func CheckAndPrepareDockerImages(ctx context.Context, useZizmor, usePoutine, use requestedTools = append(requestedTools, tool) paramsList = append(paramsList, tool+": false") } + if useRunnerGuard { + tool := "runner-guard" + requestedTools = append(requestedTools, tool) + paramsList = append(paramsList, tool+": false") + } verb := "requires" if len(requestedTools) > 1 { verb = "require" @@ -235,6 +241,7 @@ func CheckAndPrepareDockerImages(ctx context.Context, useZizmor, usePoutine, use {useZizmor, ZizmorImage, "zizmor"}, {usePoutine, PoutineImage, "poutine"}, {useActionlint, ActionlintImage, "actionlint"}, + {useRunnerGuard, RunnerGuardImage, "runner-guard"}, } for _, img := range imagesToCheck { diff --git a/pkg/cli/docker_images_test.go b/pkg/cli/docker_images_test.go index f7e2db4b9c3..085a2193a53 100644 --- a/pkg/cli/docker_images_test.go +++ b/pkg/cli/docker_images_test.go @@ -14,7 +14,7 @@ func TestCheckAndPrepareDockerImages_NoToolsRequested(t *testing.T) { ResetDockerPullState() // When no tools are requested, should return nil - err := CheckAndPrepareDockerImages(context.Background(), false, false, false) + err := CheckAndPrepareDockerImages(context.Background(), false, false, false, false) if err != nil { t.Errorf("Expected no error when no tools requested, got: %v", err) } @@ -30,7 +30,7 @@ func TestCheckAndPrepareDockerImages_ImageAlreadyDownloading(t *testing.T) { SetDockerImageDownloading(ZizmorImage, true) // Should return an error indicating to retry - err := CheckAndPrepareDockerImages(context.Background(), true, false, false) + err := CheckAndPrepareDockerImages(context.Background(), true, false, false, false) if err == nil { t.Error("Expected error when image is downloading, got nil") } @@ -100,12 +100,16 @@ func TestDockerImageConstants(t *testing.T) { if ActionlintImage == "" { t.Error("ActionlintImage constant should not be empty") } + if RunnerGuardImage == "" { + t.Error("RunnerGuardImage constant should not be empty") + } // Verify they are docker image references expectedImages := map[string]string{ - "zizmor": ZizmorImage, - "poutine": PoutineImage, - "actionlint": ActionlintImage, + "zizmor": ZizmorImage, + "poutine": PoutineImage, + "actionlint": ActionlintImage, + "runner-guard": RunnerGuardImage, } for name, image := range expectedImages { @@ -129,7 +133,7 @@ func TestCheckAndPrepareDockerImages_MultipleImages(t *testing.T) { SetDockerImageDownloading(PoutineImage, true) // Request all tools - err := CheckAndPrepareDockerImages(context.Background(), true, true, true) + err := CheckAndPrepareDockerImages(context.Background(), true, true, true, false) if err == nil { t.Error("Expected error when images are downloading, got nil") } @@ -155,7 +159,7 @@ func TestCheckAndPrepareDockerImages_RetryMessageFormat(t *testing.T) { // Simulate zizmor downloading SetDockerImageDownloading(ZizmorImage, true) - err := CheckAndPrepareDockerImages(context.Background(), true, false, false) + err := CheckAndPrepareDockerImages(context.Background(), true, false, false, false) if err == nil { t.Fatal("Expected error when image is downloading") } @@ -190,7 +194,7 @@ func TestCheckAndPrepareDockerImages_StartedDownloadingMessage(t *testing.T) { // when the image is marked as downloading SetDockerImageDownloading(ZizmorImage, true) - err := CheckAndPrepareDockerImages(context.Background(), true, false, false) + err := CheckAndPrepareDockerImages(context.Background(), true, false, false, false) if err == nil { t.Fatal("Expected error when image is downloading") } @@ -214,7 +218,7 @@ func TestCheckAndPrepareDockerImages_ImageAlreadyAvailable(t *testing.T) { SetMockImageAvailable(ZizmorImage, true) // Should not return an error since the image is available - err := CheckAndPrepareDockerImages(context.Background(), true, false, false) + err := CheckAndPrepareDockerImages(context.Background(), true, false, false, false) if err != nil { t.Errorf("Expected no error when image is available, got: %v", err) } @@ -459,7 +463,7 @@ func TestCheckAndPrepareDockerImages_DockerUnavailable(t *testing.T) { SetMockDockerAvailable(false) // Should return a clear error about Docker not being available - err := CheckAndPrepareDockerImages(context.Background(), true, false, false) + err := CheckAndPrepareDockerImages(context.Background(), true, false, false, false) if err == nil { t.Fatal("Expected error when Docker is unavailable, got nil") } @@ -497,7 +501,7 @@ func TestCheckAndPrepareDockerImages_DockerUnavailable_MultipleTools(t *testing. SetMockDockerAvailable(false) // Request multiple tools - err := CheckAndPrepareDockerImages(context.Background(), true, false, true) + err := CheckAndPrepareDockerImages(context.Background(), true, false, true, false) if err == nil { t.Fatal("Expected error when Docker is unavailable, got nil") } @@ -536,7 +540,7 @@ func TestCheckAndPrepareDockerImages_DockerUnavailable_NoTools(t *testing.T) { SetMockDockerAvailable(false) // When no tools requested, should return nil even if Docker is unavailable - err := CheckAndPrepareDockerImages(context.Background(), false, false, false) + err := CheckAndPrepareDockerImages(context.Background(), false, false, false, false) if err != nil { t.Errorf("Expected no error when no tools requested (even with Docker unavailable), got: %v", err) } diff --git a/pkg/cli/mcp_tools_readonly.go b/pkg/cli/mcp_tools_readonly.go index 0385ac2febe..855c33a933e 100644 --- a/pkg/cli/mcp_tools_readonly.go +++ b/pkg/cli/mcp_tools_readonly.go @@ -76,12 +76,13 @@ Returns a JSON array where each element has the following structure: // Returns an error if schema generation fails, which causes the server to stop registering tools. func registerCompileTool(server *mcp.Server, execCmd execCmdFunc, manifestCacheFile string) error { type compileArgs struct { - Workflows []string `json:"workflows,omitempty" jsonschema:"Workflow files to compile (empty for all)"` - Strict bool `json:"strict,omitempty" jsonschema:"Override frontmatter to enforce strict mode validation for all workflows. Note: Workflows default to strict mode unless frontmatter sets strict: false"` - Zizmor bool `json:"zizmor,omitempty" jsonschema:"Run zizmor security scanner on generated .lock.yml files"` - Poutine bool `json:"poutine,omitempty" jsonschema:"Run poutine security scanner on generated .lock.yml files"` - Actionlint bool `json:"actionlint,omitempty" jsonschema:"Run actionlint linter on generated .lock.yml files"` - Fix bool `json:"fix,omitempty" jsonschema:"Apply automatic codemod fixes to workflows before compiling"` + Workflows []string `json:"workflows,omitempty" jsonschema:"Workflow files to compile (empty for all)"` + Strict bool `json:"strict,omitempty" jsonschema:"Override frontmatter to enforce strict mode validation for all workflows. Note: Workflows default to strict mode unless frontmatter sets strict: false"` + Zizmor bool `json:"zizmor,omitempty" jsonschema:"Run zizmor security scanner on generated .lock.yml files"` + Poutine bool `json:"poutine,omitempty" jsonschema:"Run poutine security scanner on generated .lock.yml files"` + Actionlint bool `json:"actionlint,omitempty" jsonschema:"Run actionlint linter on generated .lock.yml files"` + RunnerGuard bool `json:"runner-guard,omitempty" jsonschema:"Run runner-guard taint analysis scanner on generated .lock.yml files"` + Fix bool `json:"fix,omitempty" jsonschema:"Apply automatic codemod fixes to workflows before compiling"` } // Generate schema with elicitation defaults @@ -131,9 +132,9 @@ Returns JSON array with validation results for each workflow: } // Check if any static analysis tools are requested that require Docker images - if args.Zizmor || args.Poutine || args.Actionlint { + if args.Zizmor || args.Poutine || args.Actionlint || args.RunnerGuard { // Check if Docker images are available; if not, start downloading and return retry message - if err := CheckAndPrepareDockerImages(ctx, args.Zizmor, args.Poutine, args.Actionlint); err != nil { + if err := CheckAndPrepareDockerImages(ctx, args.Zizmor, args.Poutine, args.Actionlint, args.RunnerGuard); err != nil { // Build per-workflow validation errors instead of throwing an MCP protocol error, // so callers always receive consistent JSON regardless of the failure mode. results := buildDockerErrorResults(args.Workflows, err.Error()) @@ -178,6 +179,9 @@ Returns JSON array with validation results for each workflow: if args.Actionlint { cmdArgs = append(cmdArgs, "--actionlint") } + if args.RunnerGuard { + cmdArgs = append(cmdArgs, "--runner-guard") + } cmdArgs = append(cmdArgs, args.Workflows...) @@ -187,8 +191,8 @@ Returns JSON array with validation results for each workflow: cmdArgs = append(cmdArgs, "--prior-manifest-file", manifestCacheFile) } - mcpLog.Printf("Executing compile tool: workflows=%v, strict=%v, fix=%v, zizmor=%v, poutine=%v, actionlint=%v", - args.Workflows, args.Strict, args.Fix, args.Zizmor, args.Poutine, args.Actionlint) + mcpLog.Printf("Executing compile tool: workflows=%v, strict=%v, fix=%v, zizmor=%v, poutine=%v, actionlint=%v, runner-guard=%v", + args.Workflows, args.Strict, args.Fix, args.Zizmor, args.Poutine, args.Actionlint, args.RunnerGuard) // Execute the CLI command // Use separate stdout/stderr capture instead of CombinedOutput because: diff --git a/pkg/cli/runner_guard.go b/pkg/cli/runner_guard.go new file mode 100644 index 00000000000..9717f6deed2 --- /dev/null +++ b/pkg/cli/runner_guard.go @@ -0,0 +1,251 @@ +package cli + +import ( + "bytes" + "encoding/json" + "errors" + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" + + "github.com/github/gh-aw/pkg/console" + "github.com/github/gh-aw/pkg/gitutil" + "github.com/github/gh-aw/pkg/logger" +) + +var runnerGuardLog = logger.New("cli:runner_guard") + +// runnerGuardFinding represents a single finding from runner-guard JSON output +type runnerGuardFinding struct { + RuleID string `json:"rule_id"` + Name string `json:"name"` + Severity string `json:"severity"` + Description string `json:"description"` + Remediation string `json:"remediation"` + File string `json:"file"` + Line int `json:"line"` +} + +// runnerGuardOutput represents the complete JSON output from runner-guard +type runnerGuardOutput struct { + Findings []runnerGuardFinding `json:"findings"` + Score int `json:"score,omitempty"` + Grade string `json:"grade,omitempty"` +} + +// runRunnerGuardOnDirectory runs the runner-guard taint analysis scanner on a directory +// containing workflows using the Docker image. +func runRunnerGuardOnDirectory(workflowDir string, verbose bool, strict bool) error { + runnerGuardLog.Printf("Running runner-guard taint analysis on directory: %s", workflowDir) + + // Find git root to get the absolute path for Docker volume mount + gitRoot, err := gitutil.FindGitRoot() + if err != nil { + return fmt.Errorf("failed to find git root: %w", err) + } + + // Validate gitRoot is an absolute path (security: ensure trusted path from git) + if !filepath.IsAbs(gitRoot) { + return fmt.Errorf("git root is not an absolute path: %s", gitRoot) + } + + // Build the Docker command + // docker run --rm -v "$gitRoot:/workdir" -w /workdir ghcr.io/vigilant-llc/runner-guard:v3.0.1 scan . --format json + // #nosec G204 -- gitRoot comes from git rev-parse (trusted source) and is validated as absolute path. + // exec.Command with separate args (not shell execution) prevents command injection. + cmd := exec.Command( + "docker", + "run", + "--rm", + "-v", gitRoot+":/workdir", + "-w", "/workdir", + RunnerGuardImage, + "scan", + ".", + "--format", "json", + ) + + // Always show that runner-guard is running (regular verbosity) + fmt.Fprintf(os.Stderr, "%s\n", console.FormatInfoMessage("Running runner-guard taint analysis scanner")) + + // In verbose mode, also show the command that users can run directly + if verbose { + dockerCmd := fmt.Sprintf("docker run --rm -v \"%s:/workdir\" -w /workdir %s scan . --format json", + gitRoot, RunnerGuardImage) + fmt.Fprintf(os.Stderr, "%s\n", console.FormatInfoMessage("Run runner-guard directly: "+dockerCmd)) + } + + // Capture output + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + // Run the command + err = cmd.Run() + + // Parse and display output + totalFindings, parseErr := parseAndDisplayRunnerGuardOutput(stdout.String(), verbose, gitRoot) + if parseErr != nil { + runnerGuardLog.Printf("Failed to parse runner-guard output: %v", parseErr) + // Fall back to showing raw output + if stdout.Len() > 0 { + fmt.Fprint(os.Stderr, stdout.String()) + } + if stderr.Len() > 0 { + fmt.Fprint(os.Stderr, stderr.String()) + } + } + + // Check if the error is due to findings or actual failure + if err != nil { + var exitErr *exec.ExitError + if errors.As(err, &exitErr) { + exitCode := exitErr.ExitCode() + runnerGuardLog.Printf("runner-guard exited with code %d (findings=%d)", exitCode, totalFindings) + // Exit code 1 typically indicates findings in the repository + if exitCode == 1 { + if strict && totalFindings > 0 { + return fmt.Errorf("strict mode: runner-guard found %d security findings - workflows must have no runner-guard findings in strict mode", totalFindings) + } + // In non-strict mode, findings are logged but not treated as errors + return nil + } + // Other exit codes are actual errors + return fmt.Errorf("runner-guard failed with exit code %d", exitCode) + } + // Non-ExitError errors (e.g., command not found) + return fmt.Errorf("runner-guard failed: %w", err) + } + + return nil +} + +// parseAndDisplayRunnerGuardOutput parses runner-guard JSON output and displays findings. +// Returns the total number of findings found. +func parseAndDisplayRunnerGuardOutput(stdout string, verbose bool, gitRoot string) (int, error) { + if stdout == "" { + return 0, nil // No output means no findings + } + + trimmed := strings.TrimSpace(stdout) + if !strings.HasPrefix(trimmed, "{") && !strings.HasPrefix(trimmed, "[") { + if len(trimmed) > 0 { + return 0, fmt.Errorf("unexpected runner-guard output format: %s", trimmed) + } + return 0, nil + } + + var output runnerGuardOutput + if err := json.Unmarshal([]byte(stdout), &output); err != nil { + return 0, fmt.Errorf("failed to parse runner-guard JSON output: %w", err) + } + + totalFindings := len(output.Findings) + if totalFindings == 0 { + return 0, nil + } + + // Display score/grade if present + if output.Score > 0 || output.Grade != "" { + fmt.Fprintf(os.Stderr, "%s\n", console.FormatInfoMessage( + fmt.Sprintf("Runner-Guard Score: %d/100 (Grade: %s)", output.Score, output.Grade), + )) + } + + // Group findings by file for better readability + findingsByFile := make(map[string][]runnerGuardFinding) + for _, finding := range output.Findings { + findingsByFile[finding.File] = append(findingsByFile[finding.File], finding) + } + + // Display findings for each file + for filePath, findings := range findingsByFile { + // Validate and sanitize file path to prevent path traversal + cleanPath := filepath.Clean(filePath) + + absPath := cleanPath + if !filepath.IsAbs(cleanPath) { + absPath = filepath.Join(gitRoot, cleanPath) + } + + absGitRoot, err := filepath.Abs(gitRoot) + if err != nil { + runnerGuardLog.Printf("Failed to get absolute path for git root: %v", err) + continue + } + + absPath, err = filepath.Abs(absPath) + if err != nil { + runnerGuardLog.Printf("Failed to get absolute path for %s: %v", filePath, err) + continue + } + + // Check if the resolved path is within gitRoot to prevent path traversal + relPath, err := filepath.Rel(absGitRoot, absPath) + if err != nil || strings.HasPrefix(relPath, "..") { + runnerGuardLog.Printf("Skipping file outside git root: %s", filePath) + continue + } + + // Read file content for context display + // #nosec G304 -- absPath is validated through: 1) filepath.Clean() normalization, + // 2) absolute path resolution, and 3) filepath.Rel() check ensuring it's within gitRoot. + // Path traversal attacks are prevented by the boundary validation above. + fileContent, err := os.ReadFile(absPath) + var fileLines []string + if err == nil { + fileLines = strings.Split(string(fileContent), "\n") + } + + for _, finding := range findings { + lineNum := finding.Line + if lineNum == 0 { + lineNum = 1 + } + + // Create context lines around the finding + var context []string + if len(fileLines) > 0 && lineNum > 0 && lineNum <= len(fileLines) { + startLine := max(1, lineNum-2) + endLine := min(len(fileLines), lineNum+2) + for i := startLine; i <= endLine; i++ { + if i-1 < len(fileLines) { + context = append(context, fileLines[i-1]) + } + } + } + + // Map severity to error type + errorType := "warning" + switch strings.ToLower(finding.Severity) { + case "critical", "high", "error": + errorType = "error" + case "note", "info": + errorType = "info" + } + + // Build message + message := fmt.Sprintf("[%s] %s: %s", finding.Severity, finding.RuleID, finding.Name) + if finding.Description != "" { + message = fmt.Sprintf("%s - %s", message, finding.Description) + } + + compilerErr := console.CompilerError{ + Position: console.ErrorPosition{ + File: finding.File, + Line: lineNum, + Column: 1, + }, + Type: errorType, + Message: message, + Context: context, + } + + fmt.Fprint(os.Stderr, console.FormatError(compilerErr)) + } + } + + return totalFindings, nil +} From 7d7cf8afb15ce1c029427ef84a4063045082ab91 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Apr 2026 12:22:39 +0000 Subject: [PATCH 2/6] chore: merge main and recompile lock files - Resolve conflict in mcp_tools_readonly.go: use DockerUnavailableError from main while preserving RunnerGuard support from this branch - Update docker_images_test.go for new test from main (5-param CheckAndPrepareDockerImages) - Recompile all 182 workflow lock files Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2051d7b9-f534-443a-8db5-11384d63688a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- ...ch-bump-claude-copilot-default-versions.md | 5 + .github/aw/github-agentic-workflows.md | 32 ++ .github/workflows/ace-editor.lock.yml | 6 +- .../agent-performance-analyzer.lock.yml | 8 +- .../workflows/agent-persona-explorer.lock.yml | 8 +- .../agentic-observability-kit.lock.yml | 8 +- .../workflows/api-consumption-report.lock.yml | 8 +- .github/workflows/archie.lock.yml | 8 +- .github/workflows/artifacts-summary.lock.yml | 8 +- .github/workflows/audit-workflows.lock.yml | 8 +- .github/workflows/auto-triage-issues.lock.yml | 8 +- .github/workflows/blog-auditor.lock.yml | 8 +- .github/workflows/bot-detection.lock.yml | 6 +- .github/workflows/brave.lock.yml | 8 +- .../breaking-change-checker.lock.yml | 8 +- .github/workflows/ci-coach.lock.yml | 8 +- .github/workflows/ci-doctor.lock.yml | 8 +- .../claude-code-user-docs-review.lock.yml | 8 +- .../cli-consistency-checker.lock.yml | 8 +- .../workflows/cli-version-checker.lock.yml | 8 +- .github/workflows/cloclo.lock.yml | 8 +- .../workflows/code-scanning-fixer.lock.yml | 8 +- .github/workflows/code-simplifier.lock.yml | 8 +- .../commit-changes-analyzer.lock.yml | 8 +- .../constraint-solving-potd.lock.yml | 8 +- .github/workflows/contribution-check.lock.yml | 8 +- .../workflows/copilot-agent-analysis.lock.yml | 8 +- .../copilot-cli-deep-research.lock.yml | 8 +- .../copilot-pr-merged-report.lock.yml | 8 +- .../copilot-pr-nlp-analysis.lock.yml | 8 +- .../copilot-pr-prompt-analysis.lock.yml | 8 +- .../copilot-session-insights.lock.yml | 8 +- .../workflows/copilot-token-audit.lock.yml | 8 +- .../copilot-token-optimizer.lock.yml | 8 +- .github/workflows/craft.lock.yml | 8 +- .../daily-architecture-diagram.lock.yml | 8 +- .../daily-assign-issue-to-user.lock.yml | 8 +- .github/workflows/daily-choice-test.lock.yml | 8 +- .../workflows/daily-cli-performance.lock.yml | 8 +- .../workflows/daily-cli-tools-tester.lock.yml | 8 +- .github/workflows/daily-code-metrics.lock.yml | 8 +- .../daily-community-attribution.lock.yml | 8 +- .../workflows/daily-compiler-quality.lock.yml | 8 +- .github/workflows/daily-doc-healer.lock.yml | 8 +- .github/workflows/daily-doc-updater.lock.yml | 8 +- .github/workflows/daily-file-diet.lock.yml | 8 +- .../workflows/daily-firewall-report.lock.yml | 8 +- .../workflows/daily-function-namer.lock.yml | 8 +- .../daily-integrity-analysis.lock.yml | 8 +- .../workflows/daily-issues-report.lock.yml | 8 +- .../daily-malicious-code-scan.lock.yml | 6 +- .../daily-mcp-concurrency-analysis.lock.yml | 8 +- .../daily-multi-device-docs-tester.lock.yml | 8 +- .github/workflows/daily-news.lock.yml | 8 +- ...aily-otel-instrumentation-advisor.lock.yml | 8 +- .../daily-performance-summary.lock.yml | 8 +- .github/workflows/daily-regulatory.lock.yml | 8 +- .../daily-rendering-scripts-verifier.lock.yml | 8 +- .../workflows/daily-repo-chronicle.lock.yml | 8 +- .../daily-safe-output-integrator.lock.yml | 8 +- .../daily-safe-output-optimizer.lock.yml | 8 +- .../daily-safe-outputs-conformance.lock.yml | 8 +- .../workflows/daily-secrets-analysis.lock.yml | 8 +- .../daily-security-red-team.lock.yml | 8 +- .github/workflows/daily-semgrep-scan.lock.yml | 8 +- .../daily-syntax-error-quality.lock.yml | 8 +- .../daily-team-evolution-insights.lock.yml | 8 +- .github/workflows/daily-team-status.lock.yml | 8 +- .../daily-testify-uber-super-expert.lock.yml | 8 +- .../workflows/daily-workflow-updater.lock.yml | 8 +- .github/workflows/dead-code-remover.lock.yml | 8 +- .github/workflows/deep-report.lock.yml | 8 +- .github/workflows/delight.lock.yml | 8 +- .github/workflows/dependabot-burner.lock.yml | 8 +- .../workflows/dependabot-go-checker.lock.yml | 8 +- .github/workflows/dev-hawk.lock.yml | 8 +- .github/workflows/dev.lock.yml | 8 +- .../developer-docs-consolidator.lock.yml | 8 +- .github/workflows/dictation-prompt.lock.yml | 8 +- .../workflows/discussion-task-miner.lock.yml | 8 +- .github/workflows/docs-noob-tester.lock.yml | 8 +- .github/workflows/draft-pr-cleanup.lock.yml | 8 +- .../example-permissions-warning.lock.yml | 6 +- .../example-workflow-analyzer.lock.yml | 8 +- .github/workflows/firewall-escape.lock.yml | 8 +- .github/workflows/firewall.lock.yml | 6 +- .../workflows/functional-pragmatist.lock.yml | 8 +- .../github-mcp-structural-analysis.lock.yml | 8 +- .../github-mcp-tools-report.lock.yml | 8 +- .../github-remote-mcp-auth-test.lock.yml | 8 +- .../workflows/glossary-maintainer.lock.yml | 8 +- .github/workflows/go-fan.lock.yml | 8 +- .github/workflows/go-logger.lock.yml | 8 +- .../workflows/go-pattern-detector.lock.yml | 8 +- .github/workflows/gpclean.lock.yml | 8 +- .github/workflows/hourly-ci-cleaner.lock.yml | 8 +- .../workflows/instructions-janitor.lock.yml | 8 +- .github/workflows/issue-monster.lock.yml | 8 +- .github/workflows/issue-triage-agent.lock.yml | 8 +- .github/workflows/jsweep.lock.yml | 8 +- .../workflows/layout-spec-maintainer.lock.yml | 8 +- .github/workflows/lockfile-stats.lock.yml | 8 +- .github/workflows/mcp-inspector.lock.yml | 8 +- .github/workflows/mergefest.lock.yml | 8 +- .github/workflows/metrics-collector.lock.yml | 6 +- .../workflows/notion-issue-summary.lock.yml | 8 +- .github/workflows/org-health-report.lock.yml | 8 +- .github/workflows/pdf-summary.lock.yml | 8 +- .github/workflows/plan.lock.yml | 8 +- .github/workflows/poem-bot.lock.yml | 8 +- .github/workflows/portfolio-analyst.lock.yml | 8 +- .../workflows/pr-nitpick-reviewer.lock.yml | 8 +- .github/workflows/pr-triage-agent.lock.yml | 8 +- .../prompt-clustering-analysis.lock.yml | 8 +- .github/workflows/python-data-charts.lock.yml | 8 +- .github/workflows/q.lock.yml | 8 +- .github/workflows/refiner.lock.yml | 8 +- .github/workflows/release.lock.yml | 8 +- .../workflows/repo-audit-analyzer.lock.yml | 8 +- .github/workflows/repo-tree-map.lock.yml | 8 +- .../repository-quality-improver.lock.yml | 8 +- .github/workflows/research.lock.yml | 8 +- .github/workflows/safe-output-health.lock.yml | 8 +- .../schema-consistency-checker.lock.yml | 8 +- .github/workflows/scout.lock.yml | 8 +- .../workflows/security-compliance.lock.yml | 8 +- .github/workflows/security-review.lock.yml | 8 +- .../semantic-function-refactor.lock.yml | 8 +- .github/workflows/sergo.lock.yml | 8 +- .../workflows/slide-deck-maintainer.lock.yml | 8 +- .../workflows/smoke-agent-all-merged.lock.yml | 8 +- .../workflows/smoke-agent-all-none.lock.yml | 8 +- .../smoke-agent-public-approved.lock.yml | 8 +- .../smoke-agent-public-none.lock.yml | 8 +- .../smoke-agent-scoped-approved.lock.yml | 8 +- .github/workflows/smoke-claude.lock.yml | 8 +- .github/workflows/smoke-copilot-arm.lock.yml | 8 +- .github/workflows/smoke-copilot.lock.yml | 8 +- .../smoke-create-cross-repo-pr.lock.yml | 8 +- .github/workflows/smoke-multi-pr.lock.yml | 8 +- .github/workflows/smoke-project.lock.yml | 8 +- .../workflows/smoke-service-ports.lock.yml | 8 +- .github/workflows/smoke-temporary-id.lock.yml | 8 +- .github/workflows/smoke-test-tools.lock.yml | 8 +- .../smoke-update-cross-repo-pr.lock.yml | 8 +- .../smoke-workflow-call-with-inputs.lock.yml | 8 +- .../workflows/smoke-workflow-call.lock.yml | 8 +- .../workflows/stale-repo-identifier.lock.yml | 8 +- .../workflows/static-analysis-report.lock.yml | 8 +- .../workflows/step-name-alignment.lock.yml | 8 +- .github/workflows/sub-issue-closer.lock.yml | 8 +- .github/workflows/super-linter.lock.yml | 8 +- .../workflows/technical-doc-writer.lock.yml | 8 +- .github/workflows/terminal-stylist.lock.yml | 8 +- .../test-create-pr-error-handling.lock.yml | 8 +- .github/workflows/test-dispatcher.lock.yml | 8 +- .../test-project-url-default.lock.yml | 8 +- .github/workflows/test-workflow.lock.yml | 6 +- .github/workflows/tidy.lock.yml | 8 +- .github/workflows/typist.lock.yml | 8 +- .../workflows/ubuntu-image-analyzer.lock.yml | 8 +- .github/workflows/unbloat-docs.lock.yml | 8 +- .github/workflows/update-astro.lock.yml | 8 +- .github/workflows/video-analyzer.lock.yml | 8 +- .../weekly-blog-post-writer.lock.yml | 8 +- .../weekly-editors-health-check.lock.yml | 8 +- .../workflows/weekly-issue-summary.lock.yml | 8 +- .../weekly-safe-outputs-spec-review.lock.yml | 8 +- .github/workflows/workflow-generator.lock.yml | 8 +- .../workflow-health-manager.lock.yml | 8 +- .../workflows/workflow-normalizer.lock.yml | 8 +- .../workflow-skill-extractor.lock.yml | 8 +- README.md | 2 + docs/astro.config.mjs | 4 + docs/package-lock.json | 22 +- docs/package.json | 4 +- docs/src/content/docs/patterns/batch-ops.md | 268 ++++++++++++++++ .../content/docs/patterns/workqueue-ops.md | 188 ++++++++++++ docs/src/content/docs/reference/glossary.md | 8 + pkg/cli/codemod_expires_integer.go | 10 +- pkg/cli/codemod_expires_integer_test.go | 22 +- pkg/cli/docker_images.go | 17 +- pkg/cli/docker_images_test.go | 22 ++ pkg/cli/fix_codemods.go | 2 +- pkg/cli/mcp_tools_readonly.go | 77 ++++- pkg/cli/mcp_tools_readonly_test.go | 81 +++++ pkg/constants/version_constants.go | 4 +- pkg/parser/import_field_extractor.go | 10 +- pkg/parser/import_processor.go | 1 + pkg/parser/schemas/main_workflow_schema.json | 35 +++ .../compiler_orchestrator_workflow.go | 134 ++++++-- .../compiler_orchestrator_workflow_test.go | 96 +++++- pkg/workflow/compiler_presteps_test.go | 288 ++++++++++++++++++ pkg/workflow/compiler_types.go | 1 + pkg/workflow/compiler_yaml.go | 45 +-- pkg/workflow/compiler_yaml_main_job.go | 9 + pkg/workflow/frontmatter_types.go | 4 + pkg/workflow/strict_mode_steps_validation.go | 4 +- scratchpad/dev.md | 51 +++- 199 files changed, 2023 insertions(+), 769 deletions(-) create mode 100644 .changeset/patch-bump-claude-copilot-default-versions.md create mode 100644 docs/src/content/docs/patterns/batch-ops.md create mode 100644 docs/src/content/docs/patterns/workqueue-ops.md create mode 100644 pkg/cli/mcp_tools_readonly_test.go create mode 100644 pkg/workflow/compiler_presteps_test.go diff --git a/.changeset/patch-bump-claude-copilot-default-versions.md b/.changeset/patch-bump-claude-copilot-default-versions.md new file mode 100644 index 00000000000..3b0b5892564 --- /dev/null +++ b/.changeset/patch-bump-claude-copilot-default-versions.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Bump default bundled tool versions: Claude Code from 2.1.92 to 2.1.94 and Copilot CLI from 1.0.20 to 1.0.21. diff --git a/.github/aw/github-agentic-workflows.md b/.github/aw/github-agentic-workflows.md index 4a8b20645c5..adf44a1e440 100644 --- a/.github/aw/github-agentic-workflows.md +++ b/.github/aw/github-agentic-workflows.md @@ -990,6 +990,28 @@ The YAML frontmatter supports these fields: ``` Publishes workflow artifacts to an orphaned git branch for persistent storage. Default allowed extensions include common non-executable types. Maximum file size is 50MB (51200 KB). + - `upload-artifact:` - Upload files as run-scoped GitHub Actions artifacts + + ```yaml + safe-outputs: + upload-artifact: + max-uploads: 5 # Optional: max upload_artifact tool calls (default: 1) + default-retention-days: 7 # Optional: default retention period in days (default: 7) + max-retention-days: 30 # Optional: maximum retention cap in days (default: 30) + max-size-bytes: 104857600 # Optional: max bytes per upload (default: 100 MB) + allowed-paths: # Optional: glob patterns restricting uploadable paths + - "reports/**" + - "*.json" + filters: # Optional: default include/exclude glob filters + include: ["*.json", "*.csv"] + exclude: ["*secret*"] + defaults: # Optional: default values injected when agent omits a field + if-no-files: "ignore" # "error" or "ignore" when no files match (default: "error") + allow: # Optional: opt-in behaviors + skip-archive: true # Allow agent to upload files without zipping + ``` + + Uploads files as run-scoped GitHub Actions artifacts (distinct from `upload-asset`, which publishes to a git branch). Artifacts are temporary and tied to the workflow run. Agents call `upload_artifact` with a `name`, `path`, and optional `retention_days`. - `dispatch-workflow:` - Trigger other workflows with inputs ```yaml @@ -2296,6 +2318,16 @@ Create an issue with your findings, including: This example demonstrates using the agentic-workflows tool to analyze workflow execution history and provide actionable improvement recommendations. +### High-Volume Processing Patterns + +For workflows processing large numbers of items, use these design patterns: + +- **WorkQueueOps** — Queue-based sequential processing using issue checklists, sub-issues, cache-memory, or Discussions as durable queue backends. Best for ordered work with dependencies, human-readable progress tracking, and multi-day processing horizons. Use `concurrency.group` with `cancel-in-progress: false` to prevent race conditions. + +- **BatchOps** — Parallel or chunked processing using matrix jobs, rate-limit-aware throttling, and result aggregation. Best for 50+ fully independent items. Use `fail-fast: false` in matrix jobs so one shard failure doesn't cancel others. + +Both patterns support idempotent operations, concurrency controls, and partial failure handling via cache-memory for state persistence across runs. + ## Workflow Monitoring and Analysis ### Logs and Metrics diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index f07fdd47725..0c89e0a1b05 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -94,8 +94,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "ACE Editor Session" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -354,7 +354,7 @@ jobs: git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 8d5354653d9..e636be15411 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -409,7 +409,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1194,7 +1194,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 8d50b4effa3..6c1056a7894 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -101,8 +101,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Agent Persona Explorer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -415,7 +415,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1144,7 +1144,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/agentic-observability-kit.lock.yml b/.github/workflows/agentic-observability-kit.lock.yml index a95189a4c9c..f8590e03a22 100644 --- a/.github/workflows/agentic-observability-kit.lock.yml +++ b/.github/workflows/agentic-observability-kit.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Agentic Observability Kit" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -387,7 +387,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1143,7 +1143,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index 27e8986e8f6..8af8f03b88b 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -103,8 +103,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "GitHub API Consumption Report Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -458,7 +458,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1276,7 +1276,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 6ec23da2acc..3319d80fdf0 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -107,8 +107,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Archie" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -446,7 +446,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1160,7 +1160,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 23532e0b9d9..832159f5a80 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -92,8 +92,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Artifacts Summary" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -346,7 +346,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1019,7 +1019,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 43894a77959..5a23b536c08 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -104,8 +104,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Agentic Workflow Audit Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -477,7 +477,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1309,7 +1309,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 660cfc20ffc..53c7d12c319 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -102,8 +102,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Auto-Triage Issues" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -364,7 +364,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1075,7 +1075,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index d5256cd2fa7..0f3b6f700b0 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Blog Auditor" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -365,7 +365,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1162,7 +1162,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index f1051de22cf..53caf450f92 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -91,8 +91,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Bot Detection" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -368,7 +368,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index d90a2434058..3290e0e2f45 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Brave Web Search Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -403,7 +403,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1107,7 +1107,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 1030c05d90f..dbaf28878fe 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Breaking Change Checker" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -355,7 +355,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1059,7 +1059,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 4d108df50ef..17598214c19 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "CI Optimization Coach" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -425,7 +425,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1124,7 +1124,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 783947265d5..03b52e84125 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -108,8 +108,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "CI Failure Doctor" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -482,7 +482,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1336,7 +1336,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 56f6cee3cc7..120003b0479 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Claude Code User Documentation Review" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -387,7 +387,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1136,7 +1136,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index b78e4ced3a2..83b77d5ee8d 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -87,8 +87,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "CLI Consistency Checker" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -342,7 +342,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1019,7 +1019,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 3f165db6c62..19d1e2ed111 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "CLI Version Checker" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -388,7 +388,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1137,7 +1137,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 338dbfcb02b..6f216b0de1c 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -133,8 +133,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "/cloclo" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -570,7 +570,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1503,7 +1503,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index ddc492cf6f6..81f57d48278 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Code Scanning Fixer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -388,7 +388,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1117,7 +1117,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index bdf8571dd7a..722b259b97c 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Code Simplifier" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -364,7 +364,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1051,7 +1051,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 9fe429af7d2..d00d1b57d62 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Commit Changes Analyzer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -362,7 +362,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1091,7 +1091,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 647a3536a98..4d3242b4c54 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -90,8 +90,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Constraint Solving — Problem of the Day" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -352,7 +352,7 @@ jobs: git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1037,7 +1037,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index f3694e5e7b3..bd58af06451 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -91,8 +91,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Contribution Check" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -352,7 +352,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1070,7 +1070,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 415e4549b67..16f799afa67 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -101,8 +101,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Copilot Agent PR Analysis" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -426,7 +426,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1184,7 +1184,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 1ea18c4defb..7a42fadc27e 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -91,8 +91,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Copilot CLI Deep Research Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -373,7 +373,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1082,7 +1082,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 5907b77944b..fcd6bc19cc6 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Copilot PR Merged Report" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -391,7 +391,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1207,7 +1207,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 6981ab1b11b..7f13827256d 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -101,8 +101,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Copilot PR Conversation NLP Analysis" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -454,7 +454,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1179,7 +1179,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 827cfc48068..90cddeb4bfd 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Copilot PR Prompt Pattern Analysis" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -414,7 +414,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1113,7 +1113,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 9dcb57627cc..7ff0609fd7f 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -104,8 +104,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Copilot Session Insights" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -464,7 +464,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1248,7 +1248,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml index 7a11cdb1a6d..6700639645f 100644 --- a/.github/workflows/copilot-token-audit.lock.yml +++ b/.github/workflows/copilot-token-audit.lock.yml @@ -102,8 +102,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Copilot Token Usage Audit" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -472,7 +472,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1221,7 +1221,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/copilot-token-optimizer.lock.yml b/.github/workflows/copilot-token-optimizer.lock.yml index 795638d4afd..b695569fb37 100644 --- a/.github/workflows/copilot-token-optimizer.lock.yml +++ b/.github/workflows/copilot-token-optimizer.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Copilot Token Usage Optimizer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -415,7 +415,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1110,7 +1110,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 5fbfa9da3c0..6f9b0266a56 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -94,8 +94,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Workflow Craft Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -406,7 +406,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1113,7 +1113,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 8d421dea7ed..760ad4c38c8 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -104,8 +104,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Architecture Diagram Generator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -385,7 +385,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1136,7 +1136,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index d28b75a5eb7..a5ed20bfcea 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Auto-Assign Issue" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -354,7 +354,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1062,7 +1062,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index acead66e08c..86d70fccbcc 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -103,8 +103,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Choice Type Test" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -368,7 +368,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1123,7 +1123,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 85c08dbda24..2635aa2f3ee 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -130,8 +130,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily CLI Performance Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -419,7 +419,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1308,7 +1308,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 1e32fb12bac..c60608efe06 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -106,8 +106,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily CLI Tools Exploratory Tester" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -400,7 +400,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1143,7 +1143,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index d02c5cbea99..d6a1312d26b 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -110,8 +110,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Code Metrics and Trend Tracking Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -453,7 +453,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1263,7 +1263,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 3892de79c46..4e56ae2dbe1 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -104,8 +104,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Community Attribution Updater" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -401,7 +401,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1151,7 +1151,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index e9f2a84fcb0..85517649dcd 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -107,8 +107,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Compiler Quality Check" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -420,7 +420,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1189,7 +1189,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 3058eda22d1..1b327c71dfd 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -108,8 +108,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Documentation Healer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -400,7 +400,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1241,7 +1241,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index b4c6d8b9ad9..7e5d112e7d9 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -107,8 +107,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Documentation Updater" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -399,7 +399,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Parse integrity filter lists id: parse-guard-vars env: @@ -1206,7 +1206,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 22e5196b87c..ab75ec98364 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -110,8 +110,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily File Diet" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -405,7 +405,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1162,7 +1162,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 027657f4d78..f0ea66c1946 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -111,8 +111,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Firewall Logs Collector and Reporter" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -455,7 +455,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1236,7 +1236,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 36769ed145a..46726117445 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -108,8 +108,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Go Function Namer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -431,7 +431,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1231,7 +1231,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index 4b8c8fffd59..9903a803aec 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -111,8 +111,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily DIFC Integrity-Filtered Events Analyzer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -472,7 +472,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1253,7 +1253,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 6bc364ab46b..0a8af643d1e 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -117,8 +117,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Issues Report Generator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -468,7 +468,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1210,7 +1210,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index c17ec3e8c50..96e52abc83e 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -102,8 +102,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Malicious Code Scan Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -359,7 +359,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 6e33997fdfb..8055d2be7b0 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -106,8 +106,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -418,7 +418,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1203,7 +1203,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 1cf99c7ce72..beb0365ab1f 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -109,8 +109,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Multi-Device Docs Tester" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -392,7 +392,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1245,7 +1245,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 504796bdb28..2a02f3d1dd3 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -111,8 +111,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily News" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -524,7 +524,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1298,7 +1298,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-otel-instrumentation-advisor.lock.yml b/.github/workflows/daily-otel-instrumentation-advisor.lock.yml index fbd6c397de5..a6018e10332 100644 --- a/.github/workflows/daily-otel-instrumentation-advisor.lock.yml +++ b/.github/workflows/daily-otel-instrumentation-advisor.lock.yml @@ -104,8 +104,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily OTel Instrumentation Advisor" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -376,7 +376,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1153,7 +1153,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index e3bbfcfce67..13dbbbc6ebf 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -109,8 +109,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -424,7 +424,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1645,7 +1645,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 8392e3a15ee..8c42ab9d810 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -105,8 +105,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Regulatory Report Generator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -370,7 +370,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1553,7 +1553,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 175193eda6a..2fc38dee415 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -115,8 +115,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Rendering Scripts Verifier" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -443,7 +443,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1296,7 +1296,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 0ee4b133837..c913711e66e 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -106,8 +106,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "The Daily Repository Chronicle" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -417,7 +417,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1154,7 +1154,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index 3033e91f5d2..ad71caf4035 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -102,8 +102,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Safe Output Integrator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -363,7 +363,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1106,7 +1106,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 9ecdfa40bfd..ba694090dde 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -116,8 +116,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Safe Output Tool Optimizer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -449,7 +449,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1277,7 +1277,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 020474e05d5..38b34d9a1a7 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -104,8 +104,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Safe Outputs Conformance Checker" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -371,7 +371,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1129,7 +1129,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 16a9ca05bd6..7501b62cd81 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -102,8 +102,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Secrets Analysis Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -361,7 +361,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1060,7 +1060,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 9ab2c707343..bd16e6b0e95 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -104,8 +104,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Security Red Team Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -375,7 +375,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1133,7 +1133,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 7d5d452f416..5602f84f25c 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -104,8 +104,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Semgrep Scan" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -365,7 +365,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1091,7 +1091,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 8f45deed9d7..bfd442af493 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -101,8 +101,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Syntax Error Quality Check" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -370,7 +370,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1096,7 +1096,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 438fcdeb0a8..fa8b8851ea4 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -105,8 +105,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Daily Team Evolution Insights" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -375,7 +375,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1129,7 +1129,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 9e4ba920994..80b4ead8b12 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -113,8 +113,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Team Status" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -375,7 +375,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1086,7 +1086,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 25f5c9ad762..7e1347046b8 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -110,8 +110,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Testify Uber Super Expert" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -429,7 +429,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1204,7 +1204,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 2fbaf224737..8401e0ff55c 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -101,8 +101,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Daily Workflow Updater" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -359,7 +359,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1068,7 +1068,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index ea57f178b35..c4048d164b3 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Dead Code Removal Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -395,7 +395,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1090,7 +1090,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 577fd6a7d7b..9e066f6db1d 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -102,8 +102,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "DeepReport - Intelligence Gathering Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -471,7 +471,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1336,7 +1336,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 7c1a3436bd6..fac832607d8 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -94,8 +94,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Delight" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -378,7 +378,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1127,7 +1127,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 0f4fa9bdfbd..4b21796eb6f 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Dependabot Burner" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -354,7 +354,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1031,7 +1031,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 584d41a6183..1962a9d1a74 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -92,8 +92,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Dependabot Dependency Checker" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -352,7 +352,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1048,7 +1048,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 931a343aed8..cbba35d21ff 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Dev Hawk" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -405,7 +405,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1130,7 +1130,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 0625f0bae5e..9a34729a63b 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -111,8 +111,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Dev" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -399,7 +399,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1094,7 +1094,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index e6ad0d7c97e..191cb3af7c6 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -100,8 +100,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Developer Documentation Consolidator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -446,7 +446,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1295,7 +1295,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 932135ab9a2..cb0174a6b52 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -92,8 +92,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Dictation Prompt Generator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -348,7 +348,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1031,7 +1031,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index c5c3f4fcc1f..c8185a371c4 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -94,8 +94,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Discussion Task Miner - Code Quality Improvement Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -377,7 +377,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1116,7 +1116,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index d2d50f6407c..1bc140e30ec 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Documentation Noob Tester" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -360,7 +360,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1075,7 +1075,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index b1e216fe343..7cda63cec09 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -87,8 +87,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Draft PR Cleanup" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -340,7 +340,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1060,7 +1060,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index bb6e0db80ba..c565f9cf530 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -86,8 +86,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Example: Properly Provisioned Permissions" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -321,7 +321,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 37e8c707abe..fc2136d54f4 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Weekly Workflow Analysis" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -393,7 +393,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1164,7 +1164,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 780195574c6..5eb82d6af8e 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -103,8 +103,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "The Great Escapi" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -413,7 +413,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1117,7 +1117,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index e648cc60b8f..69fbf8c87b4 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -86,8 +86,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Firewall Test Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -323,7 +323,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index f7f08f00d51..aa49d26dd1a 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -93,8 +93,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Functional Pragmatist" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -355,7 +355,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1042,7 +1042,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index a1975fb7340..3f46b546ab1 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "GitHub MCP Structural Analysis" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -419,7 +419,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1189,7 +1189,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index fce239e2888..16165311218 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "GitHub MCP Remote Server Tools Report Generator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -390,7 +390,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1174,7 +1174,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 8820453a562..6640731fac6 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -93,8 +93,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: "gpt-5.1-codex-mini" - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "GitHub Remote MCP Authentication Test" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -355,7 +355,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1037,7 +1037,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 90909e442e6..111e5ace98f 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Glossary Maintainer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -456,7 +456,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1194,7 +1194,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index b6b7be1a4a8..2015bc101fc 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -100,8 +100,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Go Fan" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -422,7 +422,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1222,7 +1222,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index a3983897bc0..c3d16f4e85e 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Go Logger Enhancement" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -402,7 +402,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1335,7 +1335,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 049db596d0d..27e2a61129d 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Go Pattern Detector" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -368,7 +368,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1159,7 +1159,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index d1d3e42c8bb..aca3cbab656 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "GPL Dependency Cleaner (gpclean)" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -381,7 +381,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1070,7 +1070,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 12a3032d65b..d3a80b24a2a 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "CI Cleaner" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -413,7 +413,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1218,7 +1218,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 27e48c7b8ea..820a7c6c101 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -93,8 +93,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Instructions Janitor" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -380,7 +380,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1156,7 +1156,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index ad896e73f7a..1465bbb2e5b 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -460,8 +460,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: "gpt-5.1-codex-mini" - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Issue Monster" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -731,7 +731,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1425,7 +1425,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index f89c846e224..f970b874481 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -93,8 +93,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Issue Triage Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -336,7 +336,7 @@ jobs: git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1020,7 +1020,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index f8633e38bb5..27c23eec35b 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "jsweep - JavaScript Unbloater" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -422,7 +422,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1150,7 +1150,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index d5c285767c0..812d40196eb 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -93,8 +93,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Layout Specification Maintainer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -359,7 +359,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1075,7 +1075,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 837188f7538..e879b4ef42c 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Lockfile Statistics Analysis Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -383,7 +383,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1127,7 +1127,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 9beaa6d4dd5..468600270eb 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -131,8 +131,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "MCP Inspector Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -500,7 +500,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1594,7 +1594,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 667ccd3c20b..5272fad9937 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Mergefest" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -405,7 +405,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1127,7 +1127,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 3352a853685..f1d7d907485 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Metrics Collector - Infrastructure Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -392,7 +392,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 9a9b5f6ac69..e14312027bf 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -95,8 +95,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Issue Summary to Notion" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -354,7 +354,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1035,7 +1035,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 07e8ad671cd..1cdc7f8097b 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Organization Health Report" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -414,7 +414,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1126,7 +1126,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index ce94f6e5af0..20e6c890b9f 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -122,8 +122,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Resource Summarizer Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -464,7 +464,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1204,7 +1204,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index a283de47854..c1cfb6c9d42 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Plan Command" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -404,7 +404,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1129,7 +1129,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 8e0cdc2a9bc..9b5171c2622 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -116,8 +116,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: "gpt-5" - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Poem Bot - A Creative Agentic Workflow" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -457,7 +457,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1492,7 +1492,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 5a6c417b3b3..6698610fbee 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -102,8 +102,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Automated Portfolio Analyst" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -461,7 +461,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1220,7 +1220,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index e563fd6df3c..81f2612e61f 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -105,8 +105,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "PR Nitpick Reviewer 🔍" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -435,7 +435,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1199,7 +1199,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index fc72377ecab..f066649903e 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -93,8 +93,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "PR Triage Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -376,7 +376,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1110,7 +1110,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 89fa6d1a793..c130e2a9f44 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -108,8 +108,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Copilot Agent Prompt Clustering Analysis" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -484,7 +484,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1271,7 +1271,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 6809e926103..3304dbb1a98 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Python Data Visualization Generator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -440,7 +440,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1195,7 +1195,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 1bb820fb6ae..87ae3b082f8 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -131,8 +131,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Q" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -534,7 +534,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1363,7 +1363,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index b5e7a18b5bb..896309f15a9 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -110,8 +110,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Code Refiner" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -386,7 +386,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1091,7 +1091,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index fdf419c87e7..739e9896a70 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -111,8 +111,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Release" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -385,7 +385,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1193,7 +1193,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index fa672e2d48b..9e76cbf1f28 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Repository Audit & Agentic Workflow Opportunity Analyzer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -381,7 +381,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1068,7 +1068,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index c4296e455d1..53e793c477a 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -93,8 +93,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Repository Tree Map Generator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -350,7 +350,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1023,7 +1023,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index f4bdee8ee07..b310790e94f 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Repository Quality Improvement Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -413,7 +413,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1127,7 +1127,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 77429769172..38bbe641da0 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -96,8 +96,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Basic Research Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -358,7 +358,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1054,7 +1054,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 958dfe4175e..85ec992d425 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -102,8 +102,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Safe Output Health Monitor" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -429,7 +429,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1231,7 +1231,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 2f9b1e429cf..bf2377efb3a 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Schema Consistency Checker" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -383,7 +383,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1127,7 +1127,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 40232b6d262..8288526a67c 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -152,8 +152,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Scout" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -507,7 +507,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Parse integrity filter lists id: parse-guard-vars env: @@ -1388,7 +1388,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 1bb4ab58b55..d27be6228b7 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Security Compliance Campaign" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -387,7 +387,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1078,7 +1078,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index b443c6282bc..39ddfdee396 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -107,8 +107,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Security Review Agent 🔒" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -469,7 +469,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1246,7 +1246,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 8dd2b447cae..8e9bc8fc0ee 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Semantic Function Refactoring" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -395,7 +395,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1191,7 +1191,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 0e5d27d9083..2ab3ea9564c 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Sergo - Serena Go Expert" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -420,7 +420,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1211,7 +1211,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index fb88b4c2274..9f99783d951 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -105,8 +105,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Slide Deck Maintainer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -412,7 +412,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1166,7 +1166,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 96bfb604691..0b2ec37bf22 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -118,8 +118,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Smoke Agent: all/merged" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -406,7 +406,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Parse integrity filter lists id: parse-guard-vars env: @@ -1167,7 +1167,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 83b9e442364..7d12cde51ec 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -118,8 +118,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Smoke Agent: all/none" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -406,7 +406,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Parse integrity filter lists id: parse-guard-vars env: @@ -1167,7 +1167,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 2de1df52f02..6bcafcb02e7 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -120,8 +120,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Smoke Agent: public/approved" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -409,7 +409,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Parse integrity filter lists id: parse-guard-vars env: @@ -1200,7 +1200,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 06c7cff9dac..ab0c3976f6b 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -118,8 +118,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Smoke Agent: public/none" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -406,7 +406,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Parse integrity filter lists id: parse-guard-vars env: @@ -1167,7 +1167,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 520e22271d0..ef260cca77b 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -119,8 +119,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Smoke Agent: scoped/approved" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -408,7 +408,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Parse integrity filter lists id: parse-guard-vars env: @@ -1174,7 +1174,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 905826e1610..b2a74d9e4a8 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -141,8 +141,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Smoke Claude" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -909,7 +909,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2741,7 +2741,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index a0a94ca9841..ff008af7016 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -127,8 +127,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Copilot ARM64" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -526,7 +526,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -2063,7 +2063,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 64ba355c34f..c62fbeb605e 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -130,8 +130,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Copilot" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -535,7 +535,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -2125,7 +2125,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 27b6550f4f5..fd92190d3d1 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -119,8 +119,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Create Cross-Repo PR" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -414,7 +414,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1205,7 +1205,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 6d937a1a854..0a2ba5931b1 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -120,8 +120,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Multi PR" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -417,7 +417,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1187,7 +1187,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 2e4442d1622..5eefe47cd39 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -119,8 +119,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Project" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -417,7 +417,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1323,7 +1323,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-service-ports.lock.yml b/.github/workflows/smoke-service-ports.lock.yml index de4998d6ad5..f5364e43c5b 100644 --- a/.github/workflows/smoke-service-ports.lock.yml +++ b/.github/workflows/smoke-service-ports.lock.yml @@ -108,8 +108,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Service Ports" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -388,7 +388,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1094,7 +1094,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 9720e1669e3..2dd2d014956 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -117,8 +117,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Temporary ID" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -411,7 +411,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1170,7 +1170,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 09183d17b00..88a1802b08b 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -124,8 +124,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Agent Container Smoke Test" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -430,7 +430,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1136,7 +1136,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 24c557c7080..f2d5d46e04e 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -121,8 +121,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Update Cross-Repo PR" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -445,7 +445,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1231,7 +1231,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index e1d147dcabc..b75a57f9763 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -126,8 +126,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Workflow Call with Inputs" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -399,7 +399,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1092,7 +1092,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 32c18e53a13..a6c7184149c 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -129,8 +129,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Smoke Workflow Call" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -398,7 +398,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1083,7 +1083,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index ebc0cd23ab1..51b1497177c 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -108,8 +108,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Stale Repository Identifier" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -473,7 +473,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1194,7 +1194,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index c2c5b2a5834..dbb42b6afe2 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Static Analysis Report" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -446,7 +446,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1269,7 +1269,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 46b07e734b9..eec1a48f002 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -92,8 +92,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Step Name Alignment" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -376,7 +376,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1141,7 +1141,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 67f2b3dcadc..4a0e364b1ed 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -89,8 +89,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Sub-Issue Closer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -345,7 +345,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1064,7 +1064,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 491eff33270..58b9d26afce 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -96,8 +96,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Super Linter Report" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -391,7 +391,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1081,7 +1081,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 69108e8cf5f..6dbd5d86995 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -99,8 +99,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Rebuild the documentation after making changes" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -437,7 +437,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1193,7 +1193,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 9662b5a65c1..c1ec8a1e933 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -96,8 +96,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Terminal Stylist" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -385,7 +385,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1087,7 +1087,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 91a181f1fe8..4f03252dbb7 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -90,8 +90,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Test Create PR Error Handling" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -375,7 +375,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1129,7 +1129,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 596082908f0..00b04e43e3f 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -85,8 +85,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Test Dispatcher Workflow" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -338,7 +338,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1003,7 +1003,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 645c8358e91..d9cda1e2f7d 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -86,8 +86,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Test Project URL Explicit Requirement" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -338,7 +338,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1064,7 +1064,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index ca70f322f0c..b3d6b154b8f 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -89,8 +89,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Test Workflow" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -322,7 +322,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index ced73f74e42..da11464cec0 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -115,8 +115,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Tidy" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -434,7 +434,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1182,7 +1182,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 8feb4b95d77..837de3042d9 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Typist - Go Type Analysis" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -394,7 +394,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1167,7 +1167,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 7f6c01b749b..250794ec41e 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Ubuntu Actions Image Analyzer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -362,7 +362,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1075,7 +1075,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 6b756462539..c8531fe5724 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -112,8 +112,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "claude" GH_AW_INFO_ENGINE_NAME: "Claude Code" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || 'auto' }} - GH_AW_INFO_VERSION: "2.1.92" - GH_AW_INFO_AGENT_VERSION: "2.1.92" + GH_AW_INFO_VERSION: "2.1.94" + GH_AW_INFO_AGENT_VERSION: "2.1.94" GH_AW_INFO_WORKFLOW_NAME: "Documentation Unbloat" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -460,7 +460,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1367,7 +1367,7 @@ jobs: - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.16 - name: Install Claude Code CLI - run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.92 + run: npm install --ignore-scripts -g @anthropic-ai/claude-code@2.1.94 - name: Execute Claude Code CLI if: always() && steps.detection_guard.outputs.run_detection == 'true' id: detection_agentic_execution diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index 05dfa634918..2f801d212a0 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Update Astro" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -370,7 +370,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1101,7 +1101,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index d65a703d516..47e00da9ec1 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -94,8 +94,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Video Analysis Agent" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -363,7 +363,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1057,7 +1057,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 1a6b75588ce..d6ee06b2a4c 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -97,8 +97,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Weekly Blog Post Writer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -417,7 +417,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1165,7 +1165,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index c0aa35e5c4f..d370b378308 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -90,8 +90,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Weekly Editors Health Check" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -353,7 +353,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1107,7 +1107,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 7079d6c481b..19886b6bf8d 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -100,8 +100,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Weekly Issue Summary" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -396,7 +396,7 @@ jobs: git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1111,7 +1111,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index ff9c011a14f..7cab0921408 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -94,8 +94,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Weekly Safe Outputs Specification Review" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -353,7 +353,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1041,7 +1041,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 77cadd1ea7c..bafba8797f3 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -98,8 +98,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Workflow Generator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -387,7 +387,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1115,7 +1115,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 4d6018b91cd..fca6c70a369 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -96,8 +96,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Workflow Health Manager - Meta-Orchestrator" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -380,7 +380,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1147,7 +1147,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 5c16a28d6e0..5f3214bb362 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -96,8 +96,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Workflow Normalizer" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -386,7 +386,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1111,7 +1111,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 0029d52524e..fdd5e8a26c5 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -93,8 +93,8 @@ jobs: GH_AW_INFO_ENGINE_ID: "copilot" GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }} - GH_AW_INFO_VERSION: "1.0.20" - GH_AW_INFO_AGENT_VERSION: "1.0.20" + GH_AW_INFO_VERSION: "1.0.21" + GH_AW_INFO_AGENT_VERSION: "1.0.21" GH_AW_INFO_WORKFLOW_NAME: "Workflow Skill Extractor" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -351,7 +351,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary @@ -1078,7 +1078,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Install GitHub Copilot CLI - run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.20 + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh 1.0.21 env: GH_HOST: github.com - name: Install AWF binary diff --git a/README.md b/README.md index c9eb1123e59..cb560041fd7 100644 --- a/README.md +++ b/README.md @@ -369,6 +369,7 @@ For development setup and contribution guidelines, see [CONTRIBUTING.md](CONTRIB ### @j-srodka +- #25199 _(direct issue)_ - #23485 _(direct issue)_ - #23484 _(direct issue)_ - #23483 _(direct issue)_ @@ -598,6 +599,7 @@ For development setup and contribution guidelines, see [CONTRIBUTING.md](CONTRIB ### @salekseev +- #25122 _(direct issue)_ - #24135 _(direct issue)_ ### @samuelkahessay diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs index 6b6fdb600c3..6e6bdba40d4 100644 --- a/docs/astro.config.mjs +++ b/docs/astro.config.mjs @@ -126,8 +126,10 @@ export default defineConfig({ '/patterns/siderepoops/': '/gh-aw/patterns/side-repo-ops/', '/patterns/specops/': '/gh-aw/patterns/spec-ops/', '/patterns/researchplanassignops/': '/gh-aw/patterns/research-plan-assign-ops/', + '/patterns/batchops/': '/gh-aw/patterns/batch-ops/', '/patterns/taskops/': '/gh-aw/patterns/task-ops/', '/patterns/trialops/': '/gh-aw/patterns/trial-ops/', + '/patterns/workqueueops/': '/gh-aw/patterns/workqueue-ops/', }, integrations: [ sitemap(), @@ -270,6 +272,7 @@ export default defineConfig({ { label: 'Design Patterns', items: [ + { label: 'BatchOps', link: '/patterns/batch-ops/' }, { label: 'CentralRepoOps', link: '/patterns/central-repo-ops/' }, { label: 'ChatOps', link: '/patterns/chat-ops/' }, { label: 'DailyOps', link: '/patterns/daily-ops/' }, @@ -286,6 +289,7 @@ export default defineConfig({ { label: 'SpecOps', link: '/patterns/spec-ops/' }, { label: 'TaskOps', link: '/patterns/task-ops/' }, { label: 'TrialOps', link: '/patterns/trial-ops/' }, + { label: 'WorkQueueOps', link: '/patterns/workqueue-ops/' }, ], }, { diff --git a/docs/package-lock.json b/docs/package-lock.json index e6faf2d6d22..ed48a8518f1 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -10,7 +10,7 @@ "dependencies": { "@astrojs/rss": "^4.0.18", "@astrojs/sitemap": "^3.7.2", - "@astrojs/starlight": "^0.38.2", + "@astrojs/starlight": "^0.38.3", "@primer/octicons": "^19.23.1", "astro": "^6.1.4", "astro-mermaid": "^2.0.1", @@ -18,7 +18,7 @@ "sharp": "^0.34.5", "starlight-blog": "^0.26.1", "starlight-changelogs": "^0.5.0", - "starlight-links-validator": "^0.21.0", + "starlight-links-validator": "^0.22.0", "starlight-llms-txt": "^0.8.0", "yaml": "^2.8.3" }, @@ -166,9 +166,9 @@ } }, "node_modules/@astrojs/starlight": { - "version": "0.38.2", - "resolved": "https://registry.npmjs.org/@astrojs/starlight/-/starlight-0.38.2.tgz", - "integrity": "sha512-7AsrvG4EsXUmJT5uqiXJN4oZqKaY0wc/Ip7C6/zGnShHRVoTAA4jxeYIZ3wqbqA6zv4cnp9qk31vB2m2dUcmfg==", + "version": "0.38.3", + "resolved": "https://registry.npmjs.org/@astrojs/starlight/-/starlight-0.38.3.tgz", + "integrity": "sha512-kDlJPlUDdQFWYmyFM2yUPo66yws7v067AEK+/rQjjoVyqehL3DabuOJuy6UJFFTFyGbHxYcBms/ITEgdW7tphw==", "license": "MIT", "dependencies": { "@astrojs/markdown-remark": "^7.0.0", @@ -5912,9 +5912,9 @@ } }, "node_modules/lodash-es": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.23.tgz", - "integrity": "sha512-kVI48u3PZr38HdYz98UmfPnXl2DXrpdctLrFLCd3kOx1xUkOmpFPx7gCWWM5MPkL/fD8zb+Ph0QzjGFs4+hHWg==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.18.1.tgz", + "integrity": "sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==", "license": "MIT" }, "node_modules/lodash.kebabcase": { @@ -9271,9 +9271,9 @@ } }, "node_modules/starlight-links-validator": { - "version": "0.21.0", - "resolved": "https://registry.npmjs.org/starlight-links-validator/-/starlight-links-validator-0.21.0.tgz", - "integrity": "sha512-X7pQC/5Dc7peDoZW/F4L+fD5qs9JmVXo3klNHsxRcVs3mSJXp2wFKZ/38hgr7yGLkp126IFKeHLy6jmOvnwvCA==", + "version": "0.22.0", + "resolved": "https://registry.npmjs.org/starlight-links-validator/-/starlight-links-validator-0.22.0.tgz", + "integrity": "sha512-G+RiDfZN07UOmkKWe7MKG2eBa4kQV6w+ZvC2rpf2eYYDCyaGsXu0T+ja/u2CdQt02mt4Pfk5DUndp6MVtnjefg==", "license": "MIT", "dependencies": { "@types/picomatch": "^4.0.2", diff --git a/docs/package.json b/docs/package.json index 81956f7cf44..a9309eb4c65 100644 --- a/docs/package.json +++ b/docs/package.json @@ -19,7 +19,7 @@ "dependencies": { "@astrojs/rss": "^4.0.18", "@astrojs/sitemap": "^3.7.2", - "@astrojs/starlight": "^0.38.2", + "@astrojs/starlight": "^0.38.3", "@primer/octicons": "^19.23.1", "astro": "^6.1.4", "astro-mermaid": "^2.0.1", @@ -27,7 +27,7 @@ "sharp": "^0.34.5", "starlight-blog": "^0.26.1", "starlight-changelogs": "^0.5.0", - "starlight-links-validator": "^0.21.0", + "starlight-links-validator": "^0.22.0", "starlight-llms-txt": "^0.8.0", "yaml": "^2.8.3" }, diff --git a/docs/src/content/docs/patterns/batch-ops.md b/docs/src/content/docs/patterns/batch-ops.md new file mode 100644 index 00000000000..84983210a65 --- /dev/null +++ b/docs/src/content/docs/patterns/batch-ops.md @@ -0,0 +1,268 @@ +--- +title: BatchOps +description: Process large volumes of work in parallel or chunked batches using matrix jobs, rate-limit-aware throttling, and result aggregation +sidebar: + badge: { text: 'Batch processing', variant: 'caution' } +--- + +BatchOps is a pattern for processing large volumes of work items efficiently. Instead of iterating sequentially through hundreds of items in a single workflow run, BatchOps splits work into chunks, parallelizes where possible, handles partial failures gracefully, and aggregates results into a consolidated report. + +## When to Use BatchOps vs Sequential Processing + +| Scenario | Recommendation | +|----------|----------------| +| < 50 items, order matters | Sequential ([WorkQueueOps](/gh-aw/patterns/workqueue-ops/)) | +| 50–500 items, order doesn't matter | BatchOps with chunked processing | +| > 500 items, high parallelism safe | BatchOps with matrix fan-out | +| Items have dependencies on each other | Sequential (WorkQueueOps) | +| Items are fully independent | BatchOps (any strategy) | +| Strict rate limits or quotas | Rate-limit-aware batching | + +## Batch Strategy 1: Chunked Processing + +Split work into fixed-size pages using `GITHUB_RUN_NUMBER`. Each run processes one page, picking up the next slice on the next scheduled run. Items must have a stable sort key (creation date, issue number) so pagination is deterministic. + +```aw wrap +--- +on: + schedule: + - cron: "0 2 * * 1-5" # Weekdays at 2 AM + workflow_dispatch: + +tools: + github: + toolsets: [issues] + bash: + - "jq" + - "date" + +safe-outputs: + add-labels: + allowed: [stale, needs-triage, archived] + max: 30 + add-comment: + max: 30 + +steps: + - name: compute-page + id: compute-page + run: | + PAGE_SIZE=25 + # Use run number mod to cycle through pages; reset every 1000 runs + PAGE=$(( (GITHUB_RUN_NUMBER % 1000) * PAGE_SIZE )) + echo "page_offset=$PAGE" >> "$GITHUB_OUTPUT" + echo "page_size=$PAGE_SIZE" >> "$GITHUB_OUTPUT" +--- + +# Chunked Issue Processor + +This run covers offset ${{ steps.compute-page.outputs.page_offset }} with page size ${{ steps.compute-page.outputs.page_size }}. + +1. List issues sorted by creation date (oldest first), skipping the first ${{ steps.compute-page.outputs.page_offset }} and taking ${{ steps.compute-page.outputs.page_size }}. +2. For each issue: add `stale` if last updated > 90 days ago with no recent comments; add `needs-triage` if it has no labels; post a stale warning comment if applicable. +3. Summarize: issues labeled, comments posted, any errors. +``` + +## Batch Strategy 2: Fan-Out with Matrix + +Use GitHub Actions matrix to run multiple batch workers in parallel, each responsible for a non-overlapping shard. Use `fail-fast: false` so one shard failure doesn't cancel the others. Each shard gets its own token and API rate limit quota. + +```aw wrap +--- +on: + workflow_dispatch: + inputs: + total_shards: + description: "Number of parallel workers" + default: "4" + required: false + +jobs: + batch: + strategy: + matrix: + shard: [0, 1, 2, 3] + fail-fast: false # Continue other shards even if one fails + +tools: + github: + toolsets: [issues, pull_requests] + +safe-outputs: + add-labels: + allowed: [reviewed, duplicate, wontfix] + max: 50 +--- + +# Matrix Batch Worker — Shard ${{ matrix.shard }} of ${{ inputs.total_shards }} + +Process only issues where `(issue_number % ${{ inputs.total_shards }}) == ${{ matrix.shard }}` — this ensures no two shards process the same issue. + +1. List all open issues (up to 500) and keep only those assigned to this shard. +2. For each issue: check for duplicates (similar title/content); add label `reviewed`; if a duplicate is found, add `duplicate` and reference the original. +3. Report: issues in this shard, how many labeled, any failures. +``` + +## Batch Strategy 3: Rate-Limit-Aware Batching + +Throttle API calls by processing items in small sub-batches with explicit pauses. Slower than unbounded processing but dramatically reduces rate-limit errors. Use [Rate Limiting Controls](/gh-aw/reference/rate-limiting-controls/) for built-in throttling. + +```aw wrap +--- +on: + workflow_dispatch: + inputs: + batch_size: + description: "Items per sub-batch" + default: "10" + pause_seconds: + description: "Seconds to pause between sub-batches" + default: "30" + +tools: + github: + toolsets: [repos, issues] + bash: + - "sleep" + - "jq" + +safe-outputs: + add-comment: + max: 100 + add-labels: + allowed: [labeled-by-bot] + max: 100 +--- + +# Rate-Limited Batch Processor + +Process all open issues in sub-batches of ${{ inputs.batch_size }}, pausing ${{ inputs.pause_seconds }} seconds between batches. + +1. Fetch all open issue numbers (paginate if needed). +2. For each sub-batch: read each issue body, determine the correct label, add the label, then pause before the next sub-batch. +3. On HTTP 429: pause 60 seconds and retry once before marking the item as failed. +4. Report: total processed, failed, skipped. +``` + +## Batch Strategy 4: Result Aggregation + +Collect results from multiple batch workers or runs and aggregate them into a single summary issue. Use [cache-memory](/gh-aw/reference/cache-memory/) to store intermediate results when runs span multiple days. + +```aw wrap +--- +on: + workflow_dispatch: + inputs: + report_issue: + description: "Issue number to aggregate results into" + required: true + +tools: + cache-memory: true + github: + toolsets: [issues, repos] + bash: + - "jq" + +safe-outputs: + add-comment: + max: 1 + update-issue: + body: true + +steps: + - name: collect-results + run: | + # Aggregate results from all result files written by previous batch runs + RESULTS_DIR="/tmp/gh-aw/cache-memory/batch-results" + if [ -d "$RESULTS_DIR" ]; then + jq -s ' + { + total_processed: (map(.processed) | add // 0), + total_failed: (map(.failed) | add // 0), + total_skipped: (map(.skipped) | add // 0), + runs: length, + errors: (map(.errors // []) | add // []) + } + ' "$RESULTS_DIR"/*.json > /tmp/gh-aw/cache-memory/aggregate.json + cat /tmp/gh-aw/cache-memory/aggregate.json + else + echo '{"total_processed":0,"total_failed":0,"total_skipped":0,"runs":0,"errors":[]}' \ + > /tmp/gh-aw/cache-memory/aggregate.json + fi +--- + +# Batch Result Aggregator + +Aggregate results from previous batch runs stored in `/tmp/gh-aw/cache-memory/batch-results/` into issue #${{ inputs.report_issue }}. + +1. Read `/tmp/gh-aw/cache-memory/aggregate.json` for totals and each individual result file for per-run breakdowns. +2. Update issue #${{ inputs.report_issue }} body with a Markdown table: summary row (processed/failed/skipped) plus per-run breakdown. List any errors requiring manual intervention. +3. Add a comment: "Batch complete ✅" if no failures, or "Batch complete with failures ⚠️" with a list of failed items. +4. For each failed item, create a sub-issue so it can be retried. +``` + +## Error Handling and Partial Failures + +Batch workflows must be resilient to individual item failures. + +**Retry pattern**: When using cache-memory queues, track `retry_count` per failed item. Retry items where `retry_count < 3`; after three failures move them to `permanently_failed` for human review. Increment the count and save the queue after each attempt. + +**Failure isolation**: + +- Use `fail-fast: false` in matrix jobs so one shard failure doesn't cancel others +- Write per-item results before moving to the next item +- Store errors with enough context to diagnose and retry + +## Real-World Example: Updating Labels Across 100+ Issues + +This example processes a label migration (rename `bug` to `type:bug`) across all open and closed issues. + +```aw wrap +--- +on: + workflow_dispatch: + inputs: + dry_run: + description: "Preview changes without applying them" + default: "true" + +tools: + github: + toolsets: [issues] + bash: + - "jq" + +safe-outputs: + add-labels: + allowed: [type:bug] + max: 200 + remove-labels: + allowed: [bug] + max: 200 + add-comment: + max: 1 + +concurrency: + group: label-migration + cancel-in-progress: false +--- + +# Label Migration: `bug` → `type:bug` + +Migrate all issues with the label `bug` to use `type:bug`. List all issues (open and closed) with label `bug`, paginating to retrieve all of them. + +- If `${{ inputs.dry_run }}` is `true`: report how many issues would be updated and add a preview comment. Make no changes. +- If `${{ inputs.dry_run }}` is `false`: for each issue add `type:bug` then remove `bug`. Process in sub-batches of 20 with 15-second pauses. Track successes and failures. + +Add a final comment with totals and a search link to verify no `bug` labels remain. +``` + +## Related Pages + +- [WorkQueueOps](/gh-aw/patterns/workqueue-ops/) — Sequential queue processing with issue checklists, sub-issues, cache-memory, and Discussions +- [TaskOps](/gh-aw/patterns/task-ops/) — Research → Plan → Assign for developer-supervised work +- [Cache Memory](/gh-aw/reference/cache-memory/) — Persistent state storage across workflow runs +- [Repo Memory](/gh-aw/reference/repo-memory/) — Git-committed persistent state +- [Rate Limiting Controls](/gh-aw/reference/rate-limiting-controls/) — Built-in throttling for API-heavy workflows +- [Concurrency](/gh-aw/reference/concurrency/) — Prevent overlapping batch runs diff --git a/docs/src/content/docs/patterns/workqueue-ops.md b/docs/src/content/docs/patterns/workqueue-ops.md new file mode 100644 index 00000000000..6006dfe5aad --- /dev/null +++ b/docs/src/content/docs/patterns/workqueue-ops.md @@ -0,0 +1,188 @@ +--- +title: WorkQueueOps +description: Process a queue of work items using GitHub issues, sub-issues, cache-memory, or Discussions as durable queue backends +sidebar: + badge: { text: 'Queue-based', variant: 'note' } +--- + +WorkQueueOps is a pattern for systematically processing a large backlog of work items. Instead of processing everything at once, work is queued, tracked, and consumed incrementally — surviving interruptions, rate limits, and multi-day horizons. Use it when operations are idempotent and progress visibility matters. + +## Queue Strategy 1: Issue Checklist as Queue + +Use GitHub issue checkboxes as a lightweight, human-readable queue. The agent reads the issue body, finds unchecked items, processes each one, and checks it off. Best for small-to-medium batches (< 100 items). Use [Concurrency](/gh-aw/reference/concurrency/) controls to prevent race conditions between parallel runs. + +```aw wrap +--- +on: + workflow_dispatch: + inputs: + queue_issue: + description: "Issue number containing the checklist queue" + required: true + +tools: + github: + toolsets: [issues] + +safe-outputs: + update-issue: + body: true + add-comment: + max: 1 + +concurrency: + group: workqueue-${{ inputs.queue_issue }} + cancel-in-progress: false +--- + +# Checklist Queue Processor + +You are processing a work queue stored as checkboxes in issue #${{ inputs.queue_issue }}. + +1. Read issue #${{ inputs.queue_issue }} and find all unchecked items (`- [ ]`). +2. For each unchecked item (at most 10 per run): perform the required work, then edit the issue body to change `- [ ]` to `- [x]`. +3. Add a comment summarizing what was completed and what remains. +4. If all items are checked, close the issue with a summary comment. +``` + +## Queue Strategy 2: Sub-Issues as Queue + +Create one sub-issue per work item. The agent queries open sub-issues of a parent tracking issue, processes each one, and closes it when done. Scales to hundreds of items with individual discussion threads per item. Use `max:` limits on `close-issue` to avoid notification storms. + +```aw wrap +--- +on: + schedule: + - cron: "0 * * * *" # Every hour + workflow_dispatch: + +tools: + github: + toolsets: [issues] + +safe-outputs: + add-comment: + max: 5 + close-issue: + max: 5 + +concurrency: + group: sub-issue-queue + cancel-in-progress: false +--- + +# Sub-Issue Queue Processor + +You are processing a queue of open sub-issues. The parent tracking issue is labeled `queue-tracking`. + +1. Find the open issue labeled `queue-tracking` — this is the queue parent. +2. List its open sub-issues and process at most 5 per run. +3. For each sub-issue: read the body, perform the work, add a result comment, then close the issue. +4. Add a progress comment on the parent issue showing how many items remain. + +If no sub-issues are open, post a comment on the parent issue saying the queue is empty. +``` + +## Queue Strategy 3: Cache-Memory Queue + +Store queue state as a JSON file in [cache-memory](/gh-aw/reference/cache-memory/). Each run loads the file, picks up where the last run left off, and saves the updated state. Best for large queues and multi-day processing horizons where items are generated programmatically. Cache-memory is scoped to a single branch; use filesystem-safe timestamps in filenames (no colons — e.g., `YYYY-MM-DD-HH-MM-SS-sss`). + +```aw wrap +--- +on: + schedule: + - cron: "0 6 * * 1-5" # Weekdays at 6 AM + workflow_dispatch: + +tools: + cache-memory: true + github: + toolsets: [repos, issues] + bash: + - "jq" + +safe-outputs: + add-comment: + max: 10 + add-labels: + allowed: [processed, needs-review] + max: 10 +--- + +# Cache-Memory Queue Processor + +You process items from a persistent JSON queue at `/tmp/gh-aw/cache-memory/workqueue.json`: + +```json +{ + "pending": ["item-1", "item-2"], + "in_progress": [], + "completed": ["item-0"], + "failed": [], + "last_run": "2026-04-07-06-00-00" +} +``` + +1. Load the queue file. If it doesn't exist, initialize it by listing all open issues without the label `processed` and populating `pending` with their numbers. +2. Move up to 10 items from `pending` to `in_progress`. +3. For each item: perform the required operation, then move it to `completed` on success or `failed` (with an error note) on failure. +4. Save the updated queue JSON and report: X completed, Y failed, Z remaining. + +If `pending` is empty, announce that the queue is exhausted. +``` + +## Queue Strategy 4: Discussion-Based Queue + +Use a GitHub Discussion to track pending work items. Unresolved replies represent pending work; processing an item means resolving its reply. Best for community-sourced queues and async collaboration where humans need to inspect items before or after processing. Requires `discussions` in the GitHub toolset. + +```aw wrap +--- +on: + schedule: + - cron: "0 8 * * *" # Daily at 8 AM + workflow_dispatch: + +tools: + github: + toolsets: [discussions] + +safe-outputs: + add-comment: + max: 5 + create-discussion: + title-prefix: "[queue-log] " + category: "General" + +concurrency: + group: discussion-queue + cancel-in-progress: false +--- + +# Discussion Queue Processor + +A GitHub Discussion titled "Work Queue" (category "General") tracks pending items. +Each unresolved top-level reply is a work item. + +1. Find the "Work Queue" discussion and list all unresolved replies (`isAnswered: false`). +2. For each unresolved reply (at most 5 per run): parse the work description, perform the work, then reply with the result. +3. Create a summary discussion post documenting what was processed today. +``` + +## Idempotency and Concurrency + +All WorkQueueOps patterns should be **idempotent**: running the same item twice should not cause double processing. + +| Technique | How | +|-----------|-----| +| Check before acting | Query current state (label present? comment exists?) before making changes | +| Atomic state updates | Write queue state in a single step; avoid partial updates | +| Concurrency groups | Use `concurrency.group` with `cancel-in-progress: false` to prevent parallel runs | +| Retry budgets | Track failed items separately; set a retry limit before giving up | + +## Related Pages + +- [BatchOps](/gh-aw/patterns/batch-ops/) — Process large volumes in parallel chunks rather than sequentially +- [TaskOps](/gh-aw/patterns/task-ops/) — Research → Plan → Assign pattern for developer-supervised work +- [Cache Memory](/gh-aw/reference/cache-memory/) — Persistent state storage across workflow runs +- [Repo Memory](/gh-aw/reference/repo-memory/) — Git-committed persistent state for cross-branch sharing +- [Concurrency](/gh-aw/reference/concurrency/) — Prevent race conditions in queue-based workflows diff --git a/docs/src/content/docs/reference/glossary.md b/docs/src/content/docs/reference/glossary.md index 1cbf3ce5f39..41d5e09a137 100644 --- a/docs/src/content/docs/reference/glossary.md +++ b/docs/src/content/docs/reference/glossary.md @@ -529,6 +529,10 @@ Parameters provided when manually triggering a workflow with `workflow_dispatch` Operational patterns (suffixed with "-Ops") are established workflow architectures for common automation scenarios. Each pattern addresses specific use cases with recommended triggers, tools, and safe outputs. +### BatchOps + +Pattern for processing large volumes of work items efficiently using chunked pagination, matrix fan-out, or rate-limit-aware sub-batching. BatchOps splits a backlog into parallel or sequential chunks, handles partial failures with `fail-fast: false`, and aggregates results into a consolidated report. Use when items are independent and order doesn't matter. See [BatchOps](/gh-aw/patterns/batch-ops/). + ### CentralRepoOps A [MultiRepoOps](#multirepoops) deployment variant where a single private repository acts as a control plane for coordinating large-scale operations across many repositories. Enables consistent rollouts, policy updates, and centralized tracking using cross-repository safe outputs and secure authentication. See [CentralRepoOps](/gh-aw/patterns/central-repo-ops/). @@ -585,6 +589,10 @@ Scaffolded AI-powered code improvement strategy with three phases: research agen Testing and validation pattern executing workflows in isolated trial repositories before production deployment. Creates temporary private repositories where workflows run safely, capturing safe outputs without modifying your actual codebase. See [TrialOps](/gh-aw/patterns/trial-ops/). +### WorkQueueOps + +Pattern for incrementally processing a backlog of work items using a durable queue backend — issue checklists, sub-issues, [cache-memory](#cache-memory), or GitHub Discussions. Each run picks up where the last left off, making it resilient to interruptions and rate limits. Items should be idempotent and independently processable. See [WorkQueueOps](/gh-aw/patterns/workqueue-ops/). + ## Related Resources For detailed documentation on specific topics, see: diff --git a/pkg/cli/codemod_expires_integer.go b/pkg/cli/codemod_expires_integer.go index e7dab3a7321..bc0a0ff3693 100644 --- a/pkg/cli/codemod_expires_integer.go +++ b/pkg/cli/codemod_expires_integer.go @@ -13,9 +13,9 @@ var expiresIntegerCodemodLog = logger.New("cli:codemod_expires_integer") // expiresIntegerValuePattern matches an expires value that is a pure integer (possibly with a trailing comment) var expiresIntegerValuePattern = regexp.MustCompile(`^(\s*)(\d+)(\s*)(#.*)?$`) -// getExpiresIntegerToStringCodemod creates a codemod for converting integer expires values to day strings. +// getExpiresIntegerToDayStringCodemod creates a codemod for converting integer expires values to day strings. // Converts e.g. "expires: 7" to "expires: 7d" in all safe-outputs types. -func getExpiresIntegerToStringCodemod() Codemod { +func getExpiresIntegerToDayStringCodemod() Codemod { return Codemod{ ID: "expires-integer-to-string", Name: "Convert expires integer to day string", @@ -89,7 +89,7 @@ func convertExpiresIntegersToDayStrings(lines []string) ([]string, bool) { // Convert integer expires to day string if inside safe-outputs block if inSafeOutputsBlock && strings.HasPrefix(trimmedLine, "expires:") { - newLine, converted := convertExpiresLineToString(line) + newLine, converted := convertExpiresIntegerLineToDayString(line) if converted { result = append(result, newLine) modified = true @@ -104,11 +104,11 @@ func convertExpiresIntegersToDayStrings(lines []string) ([]string, bool) { return result, modified } -// convertExpiresLineToString converts an expires line with an integer value to use a day string. +// convertExpiresIntegerLineToDayString converts an expires line with an integer value to use a day string. // For example: " expires: 7" -> " expires: 7d" // Lines that already use a string format (e.g., "expires: 7d", "expires: 24h") are left unchanged. // Returns the (possibly converted) line and whether a conversion was made. -func convertExpiresLineToString(line string) (string, bool) { +func convertExpiresIntegerLineToDayString(line string) (string, bool) { indent := getIndentation(line) trimmedLine := strings.TrimSpace(line) diff --git a/pkg/cli/codemod_expires_integer_test.go b/pkg/cli/codemod_expires_integer_test.go index 494784d0cf2..f5291312ee4 100644 --- a/pkg/cli/codemod_expires_integer_test.go +++ b/pkg/cli/codemod_expires_integer_test.go @@ -10,7 +10,7 @@ import ( ) func TestGetExpiresIntegerToStringCodemod(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() assert.Equal(t, "expires-integer-to-string", codemod.ID) assert.Equal(t, "Convert expires integer to day string", codemod.Name) @@ -20,7 +20,7 @@ func TestGetExpiresIntegerToStringCodemod(t *testing.T) { } func TestExpiresIntegerCodemod_ConvertsCreateIssue(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -48,7 +48,7 @@ safe-outputs: } func TestExpiresIntegerCodemod_ConvertsCreateDiscussion(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -76,7 +76,7 @@ safe-outputs: } func TestExpiresIntegerCodemod_ConvertsCreatePullRequest(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -104,7 +104,7 @@ safe-outputs: } func TestExpiresIntegerCodemod_AlreadyStringFormat_NoChange(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -132,7 +132,7 @@ safe-outputs: } func TestExpiresIntegerCodemod_HourStringFormat_NoChange(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -160,7 +160,7 @@ safe-outputs: } func TestExpiresIntegerCodemod_NoSafeOutputs_NoChange(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -185,7 +185,7 @@ permissions: } func TestExpiresIntegerCodemod_PreservesComment(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -213,7 +213,7 @@ safe-outputs: } func TestExpiresIntegerCodemod_PreservesOtherFields(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -248,7 +248,7 @@ safe-outputs: } func TestExpiresIntegerCodemod_MultipleOutputTypes(t *testing.T) { - codemod := getExpiresIntegerToStringCodemod() + codemod := getExpiresIntegerToDayStringCodemod() content := `--- on: workflow_dispatch @@ -334,7 +334,7 @@ func TestConvertExpiresLineToString_Integer(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result, changed := convertExpiresLineToString(tt.input) + result, changed := convertExpiresIntegerLineToDayString(tt.input) assert.Equal(t, tt.changed, changed, "changed flag should match") assert.Equal(t, tt.expected, result, "converted line should match") }) diff --git a/pkg/cli/docker_images.go b/pkg/cli/docker_images.go index ea911f2dcd7..ef1af89dd14 100644 --- a/pkg/cli/docker_images.go +++ b/pkg/cli/docker_images.go @@ -14,6 +14,19 @@ import ( var dockerImagesLog = logger.New("cli:docker_images") +// DockerUnavailableError is returned when the Docker daemon is not accessible. +// This is distinct from transient errors (e.g., images being downloaded) and signals +// that Docker is not installed or not running on the host system. +// Callers can use errors.As to check for this type and take appropriate action, +// such as skipping static analysis but still running the compile step. +type DockerUnavailableError struct { + Message string +} + +func (e *DockerUnavailableError) Error() string { + return e.Message +} + // DockerImages defines the Docker images used by the compile tool's static analysis scanners const ( ZizmorImage = "ghcr.io/zizmorcore/zizmor:latest" @@ -226,7 +239,9 @@ func CheckAndPrepareDockerImages(ctx context.Context, useZizmor, usePoutine, use if len(requestedTools) > 1 { verb = "require" } - return fmt.Errorf("docker is not available (cannot connect to Docker daemon). %s %s Docker. Please install and start Docker, or set %s to skip static analysis", strings.Join(requestedTools, " and "), verb, strings.Join(paramsList, " and ")) + return &DockerUnavailableError{ + Message: fmt.Sprintf("docker is not available (cannot connect to Docker daemon). %s %s Docker. Please install and start Docker, or set %s to skip static analysis", strings.Join(requestedTools, " and "), verb, strings.Join(paramsList, " and ")), + } } var missingImages []string diff --git a/pkg/cli/docker_images_test.go b/pkg/cli/docker_images_test.go index 085a2193a53..5a280dcfc27 100644 --- a/pkg/cli/docker_images_test.go +++ b/pkg/cli/docker_images_test.go @@ -4,6 +4,7 @@ package cli import ( "context" + "errors" "strings" "testing" "time" @@ -566,3 +567,24 @@ func TestIsDockerAvailable_MockFalse(t *testing.T) { } ResetDockerPullState() } + +func TestCheckAndPrepareDockerImages_DockerUnavailable_ReturnsTypedError(t *testing.T) { + // Reset state before test + ResetDockerPullState() + SetMockDockerAvailable(false) + + err := CheckAndPrepareDockerImages(context.Background(), false, false, true, false) + if err == nil { + t.Fatal("Expected error when Docker is unavailable, got nil") + } + + // Verify the error is the typed DockerUnavailableError so callers can distinguish + // it from transient errors (e.g., images downloading). + var dockerUnavailableErr *DockerUnavailableError + if !errors.As(err, &dockerUnavailableErr) { + t.Errorf("Expected error to be *DockerUnavailableError, got %T: %v", err, err) + } + + // Clean up + ResetDockerPullState() +} diff --git a/pkg/cli/fix_codemods.go b/pkg/cli/fix_codemods.go index 4d509c8e824..9bdb843c2a4 100644 --- a/pkg/cli/fix_codemods.go +++ b/pkg/cli/fix_codemods.go @@ -45,7 +45,7 @@ func GetAllCodemods() []Codemod { getEngineStepsToTopLevelCodemod(), // Move engine.steps to top-level steps getAssignToAgentDefaultAgentCodemod(), // Rename deprecated default-agent to name in assign-to-agent getPlaywrightDomainsToNetworkAllowedCodemod(), // Migrate tools.playwright.allowed_domains to network.allowed - getExpiresIntegerToStringCodemod(), // Convert expires integer (days) to string with 'd' suffix + getExpiresIntegerToDayStringCodemod(), // Convert expires integer (days) to string with 'd' suffix getGitHubAppCodemod(), // Rename deprecated 'app' to 'github-app' getSafeInputsToMCPScriptsCodemod(), // Rename safe-inputs to mcp-scripts getPluginsToDependenciesCodemod(), // Migrate plugins to dependencies (plugins removed in favour of APM) diff --git a/pkg/cli/mcp_tools_readonly.go b/pkg/cli/mcp_tools_readonly.go index 855c33a933e..7af2c902aef 100644 --- a/pkg/cli/mcp_tools_readonly.go +++ b/pkg/cli/mcp_tools_readonly.go @@ -131,20 +131,40 @@ Returns JSON array with validation results for each workflow: default: } + // dockerUnavailableWarning is set when Docker is not accessible but the compile + // should still proceed without the static-analysis tools. After the compile + // attempt, the warning is appended to workflow results in the JSON output so + // the caller knows linting was skipped, while preserving each workflow's + // valid/invalid status. + var dockerUnavailableWarning string + // Check if any static analysis tools are requested that require Docker images if args.Zizmor || args.Poutine || args.Actionlint || args.RunnerGuard { // Check if Docker images are available; if not, start downloading and return retry message if err := CheckAndPrepareDockerImages(ctx, args.Zizmor, args.Poutine, args.Actionlint, args.RunnerGuard); err != nil { - // Build per-workflow validation errors instead of throwing an MCP protocol error, - // so callers always receive consistent JSON regardless of the failure mode. - results := buildDockerErrorResults(args.Workflows, err.Error()) - jsonBytes, jsonErr := json.Marshal(results) - if jsonErr != nil { - return nil, nil, newMCPError(jsonrpc.CodeInternalError, "failed to marshal docker error results", jsonErr.Error()) + var dockerUnavailableErr *DockerUnavailableError + if errors.As(err, &dockerUnavailableErr) { + // Docker daemon is not running. Instead of failing every workflow, + // compile without the Docker-based tools and surface a warning so + // the caller knows static analysis was skipped. + dockerUnavailableWarning = err.Error() + args.Zizmor = false + args.Poutine = false + args.Actionlint = false + args.RunnerGuard = false + } else { + // Images are still downloading — ask the caller to retry. + // Build per-workflow validation errors instead of throwing an MCP protocol error, + // so callers always receive consistent JSON regardless of the failure mode. + results := buildDockerErrorResults(args.Workflows, err.Error()) + jsonBytes, jsonErr := json.Marshal(results) + if jsonErr != nil { + return nil, nil, newMCPError(jsonrpc.CodeInternalError, "failed to marshal docker error results", jsonErr.Error()) + } + return &mcp.CallToolResult{ + Content: []mcp.Content{&mcp.TextContent{Text: string(jsonBytes)}}, + }, nil, nil } - return &mcp.CallToolResult{ - Content: []mcp.Content{&mcp.TextContent{Text: string(jsonBytes)}}, - }, nil, nil } // Check for cancellation after Docker image preparation @@ -224,6 +244,13 @@ Returns JSON array with validation results for each workflow: // and return it to the LLM } + // When Docker was unavailable, inject a warning into every workflow result so the + // caller knows that static analysis was skipped — but does NOT mark valid + // workflows as invalid. + if dockerUnavailableWarning != "" { + outputStr = injectDockerUnavailableWarning(outputStr, dockerUnavailableWarning) + } + return &mcp.CallToolResult{ Content: []mcp.Content{ &mcp.TextContent{Text: outputStr}, @@ -384,8 +411,9 @@ Also returns pr_number, head_sha, check_runs, statuses, and total_count.`, } // buildDockerErrorResults builds a []ValidationResult with a config_error for each target -// workflow. It is used when Docker is unavailable so the compile tool returns consistent -// structured JSON instead of a protocol-level error. +// workflow. It is used when Docker images are still being downloaded (transient error) so +// the compile tool returns consistent structured JSON instead of a protocol-level error. +// For the persistent case where Docker is not available at all, see injectDockerUnavailableWarning. func buildDockerErrorResults(requestedWorkflows []string, errMsg string) []ValidationResult { // Determine which workflow names to report var workflowNames []string @@ -430,3 +458,30 @@ func buildDockerErrorResults(requestedWorkflows []string, errMsg string) []Valid } return results } + +// injectDockerUnavailableWarning parses the JSON compile output and appends a +// "docker_unavailable" warning to every workflow result. It is used when Docker +// is not running so the caller knows static analysis was skipped, while preserving +// the compile-time valid/invalid status of each workflow. +// If the JSON cannot be parsed the original output is returned unchanged. +func injectDockerUnavailableWarning(outputStr, warningMsg string) string { + var results []ValidationResult + if err := json.Unmarshal([]byte(outputStr), &results); err != nil { + // Can't parse — return original output so we don't lose information. + return outputStr + } + + warning := CompileValidationError{ + Type: "docker_unavailable", + Message: warningMsg, + } + for i := range results { + results[i].Warnings = append(results[i].Warnings, warning) + } + + jsonBytes, err := json.Marshal(results) + if err != nil { + return outputStr + } + return string(jsonBytes) +} diff --git a/pkg/cli/mcp_tools_readonly_test.go b/pkg/cli/mcp_tools_readonly_test.go new file mode 100644 index 00000000000..f7a5be2188a --- /dev/null +++ b/pkg/cli/mcp_tools_readonly_test.go @@ -0,0 +1,81 @@ +//go:build !integration + +package cli + +import ( + "encoding/json" + "testing" +) + +func TestInjectDockerUnavailableWarning_AddsWarningToValidResults(t *testing.T) { + // Simulate compile output where both workflows compiled successfully. + inputJSON := `[{"workflow":"a.md","valid":true,"errors":[],"warnings":[]},{"workflow":"b.md","valid":true,"errors":[],"warnings":[]}]` + warningMsg := "docker is not available (cannot connect to Docker daemon). actionlint requires Docker." + + output := injectDockerUnavailableWarning(inputJSON, warningMsg) + + var results []ValidationResult + if err := json.Unmarshal([]byte(output), &results); err != nil { + t.Fatalf("Failed to parse injected output: %v", err) + } + + if len(results) != 2 { + t.Fatalf("Expected 2 results, got %d", len(results)) + } + + for _, r := range results { + if !r.Valid { + t.Errorf("Workflow %s should still be valid after Docker unavailable warning", r.Workflow) + } + if len(r.Warnings) != 1 { + t.Errorf("Workflow %s should have 1 warning, got %d", r.Workflow, len(r.Warnings)) + continue + } + if r.Warnings[0].Type != "docker_unavailable" { + t.Errorf("Expected warning type 'docker_unavailable', got '%s'", r.Warnings[0].Type) + } + if r.Warnings[0].Message != warningMsg { + t.Errorf("Expected warning message %q, got %q", warningMsg, r.Warnings[0].Message) + } + } +} + +func TestInjectDockerUnavailableWarning_PreservesInvalidResults(t *testing.T) { + // One workflow failed to compile; the other succeeded. + inputJSON := `[{"workflow":"bad.md","valid":false,"errors":[{"type":"parse_error","message":"syntax error"}],"warnings":[]},{"workflow":"good.md","valid":true,"errors":[],"warnings":[]}]` + warningMsg := "docker is not available" + + output := injectDockerUnavailableWarning(inputJSON, warningMsg) + + var results []ValidationResult + if err := json.Unmarshal([]byte(output), &results); err != nil { + t.Fatalf("Failed to parse injected output: %v", err) + } + + if len(results) != 2 { + t.Fatalf("Expected 2 results, got %d", len(results)) + } + + // bad.md should remain invalid and still carry its original error. + if results[0].Valid { + t.Error("bad.md should remain invalid") + } + if len(results[0].Errors) != 1 || results[0].Errors[0].Type != "parse_error" { + t.Error("bad.md should still have its original parse_error") + } + // good.md should be valid with the warning appended. + if !results[1].Valid { + t.Error("good.md should still be valid") + } + if len(results[1].Warnings) != 1 || results[1].Warnings[0].Type != "docker_unavailable" { + t.Error("good.md should have the docker_unavailable warning") + } +} + +func TestInjectDockerUnavailableWarning_InvalidJSONReturnedUnchanged(t *testing.T) { + invalidJSON := "not-valid-json" + output := injectDockerUnavailableWarning(invalidJSON, "some warning") + if output != invalidJSON { + t.Errorf("Expected original output to be returned unchanged for invalid JSON, got: %s", output) + } +} diff --git a/pkg/constants/version_constants.go b/pkg/constants/version_constants.go index 31507c173bb..06cc358ca64 100644 --- a/pkg/constants/version_constants.go +++ b/pkg/constants/version_constants.go @@ -32,10 +32,10 @@ func (v Version) IsValid() bool { type ModelName string // DefaultClaudeCodeVersion is the default version of the Claude Code CLI. -const DefaultClaudeCodeVersion Version = "2.1.92" +const DefaultClaudeCodeVersion Version = "2.1.94" // DefaultCopilotVersion is the default version of the GitHub Copilot CLI. -const DefaultCopilotVersion Version = "1.0.20" +const DefaultCopilotVersion Version = "1.0.21" // DefaultCodexVersion is the default version of the OpenAI Codex CLI const DefaultCodexVersion Version = "0.118.0" diff --git a/pkg/parser/import_field_extractor.go b/pkg/parser/import_field_extractor.go index b051e0a6984..98b5d7fdaf3 100644 --- a/pkg/parser/import_field_extractor.go +++ b/pkg/parser/import_field_extractor.go @@ -23,6 +23,7 @@ type importAccumulator struct { importPaths []string // Import paths for runtime-import macro generation stepsBuilder strings.Builder copilotSetupStepsBuilder strings.Builder // Steps from copilot-setup-steps.yml (inserted at start) + preStepsBuilder strings.Builder runtimesBuilder strings.Builder servicesBuilder strings.Builder networkBuilder strings.Builder @@ -72,7 +73,7 @@ func newImportAccumulator() *importAccumulator { // extractAllImportFields extracts all frontmatter fields from a single imported file // and accumulates the results. Handles tools, engines, mcp-servers, safe-outputs, // mcp-scripts, steps, runtimes, services, network, permissions, secret-masking, bots, -// skip-roles, skip-bots, post-steps, labels, cache, and features. +// skip-roles, skip-bots, pre-steps, post-steps, labels, cache, and features. func (acc *importAccumulator) extractAllImportFields(content []byte, item importQueueItem, visited map[string]bool) error { log.Printf("Extracting all import fields: path=%s, section=%s, inputs=%d, content_size=%d bytes", item.fullPath, item.sectionName, len(item.inputs), len(content)) @@ -310,6 +311,12 @@ func (acc *importAccumulator) extractAllImportFields(content []byte, item import } } + // Extract pre-steps from imported file (prepend in order) + preStepsContent, err := extractYAMLFieldFromMap(fm, "pre-steps") + if err == nil && preStepsContent != "" { + acc.preStepsBuilder.WriteString(preStepsContent + "\n") + } + // Extract post-steps from imported file (append in order) postStepsContent, err := extractYAMLFieldFromMap(fm, "post-steps") if err == nil && postStepsContent != "" { @@ -408,6 +415,7 @@ func (acc *importAccumulator) toImportsResult(topologicalOrder []string) *Import ImportPaths: acc.importPaths, MergedSteps: acc.stepsBuilder.String(), CopilotSetupSteps: acc.copilotSetupStepsBuilder.String(), + MergedPreSteps: acc.preStepsBuilder.String(), MergedRuntimes: acc.runtimesBuilder.String(), MergedRunInstallScripts: acc.runInstallScripts, MergedServices: acc.servicesBuilder.String(), diff --git a/pkg/parser/import_processor.go b/pkg/parser/import_processor.go index f1ab1ba9e2a..31bb85a6f98 100644 --- a/pkg/parser/import_processor.go +++ b/pkg/parser/import_processor.go @@ -23,6 +23,7 @@ type ImportsResult struct { ImportPaths []string // List of import file paths for runtime-import macro generation (replaces MergedMarkdown) MergedSteps string // Merged steps configuration from all imports (excluding copilot-setup-steps) CopilotSetupSteps string // Steps from copilot-setup-steps.yml (inserted at start) + MergedPreSteps string // Merged pre-steps configuration from all imports (prepended in order) MergedRuntimes string // Merged runtimes configuration from all imports MergedRunInstallScripts bool // true if any imported workflow sets run-install-scripts: true (global or node-level) MergedServices string // Merged services configuration from all imports diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index 9b47e5a6ba1..d15163ed5f9 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -3317,6 +3317,41 @@ } ] }, + "pre-steps": { + "description": "Custom workflow steps to run at the very beginning of the agent job, before checkout and any other built-in steps. Use pre-steps to mint short-lived tokens or perform any setup that must happen before the repository is checked out. Step outputs are available via ${{ steps..outputs. }} and can be referenced in checkout.token to avoid masked-value cross-job-boundary issues.", + "oneOf": [ + { + "type": "object", + "additionalProperties": true + }, + { + "type": "array", + "items": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "object", + "additionalProperties": true + } + ] + }, + "examples": [ + [ + { + "name": "Mint short-lived token", + "id": "mint", + "uses": "some-org/token-minting-action@v1", + "with": { + "scope": "target-org/target-repo" + } + } + ] + ] + } + ] + }, "post-steps": { "description": "Custom workflow steps to run after AI execution", "oneOf": [ diff --git a/pkg/workflow/compiler_orchestrator_workflow.go b/pkg/workflow/compiler_orchestrator_workflow.go index 6e43cc1f94a..079677fc545 100644 --- a/pkg/workflow/compiler_orchestrator_workflow.go +++ b/pkg/workflow/compiler_orchestrator_workflow.go @@ -147,8 +147,11 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error) // Process and merge custom steps with imported steps c.processAndMergeSteps(result.Frontmatter, workflowData, engineSetup.importsResult) + // Process and merge pre-steps + c.processAndMergePreSteps(result.Frontmatter, workflowData, engineSetup.importsResult) + // Process and merge post-steps - c.processAndMergePostSteps(result.Frontmatter, workflowData) + c.processAndMergePostSteps(result.Frontmatter, workflowData, engineSetup.importsResult) // Process and merge services c.processAndMergeServices(result.Frontmatter, workflowData, engineSetup.importsResult) @@ -493,40 +496,121 @@ func (c *Compiler) processAndMergeSteps(frontmatter map[string]any, workflowData } } -// processAndMergePostSteps handles the processing of post-steps with action pinning -func (c *Compiler) processAndMergePostSteps(frontmatter map[string]any, workflowData *WorkflowData) { - orchestratorWorkflowLog.Print("Processing post-steps") - - workflowData.PostSteps = c.extractTopLevelYAMLSection(frontmatter, "post-steps") +// processAndMergePreSteps handles the processing and merging of pre-steps with action pinning. +// Pre-steps run at the very beginning of the agent job, before checkout and the subsequent +// built-in steps, allowing users to mint tokens or perform other setup that must happen +// before the repository is checked out. Imported pre-steps are merged before the main +// workflow's pre-steps so that the main workflow can override or extend the imports. +func (c *Compiler) processAndMergePreSteps(frontmatter map[string]any, workflowData *WorkflowData, importsResult *parser.ImportsResult) { + orchestratorWorkflowLog.Print("Processing and merging pre-steps") + + mainPreStepsYAML := c.extractTopLevelYAMLSection(frontmatter, "pre-steps") + + // Parse imported pre-steps if present (these go before the main workflow's pre-steps) + var importedPreSteps []any + if importsResult.MergedPreSteps != "" { + if err := yaml.Unmarshal([]byte(importsResult.MergedPreSteps), &importedPreSteps); err != nil { + orchestratorWorkflowLog.Printf("Failed to unmarshal imported pre-steps: %v", err) + } else { + typedImported, err := SliceToSteps(importedPreSteps) + if err != nil { + orchestratorWorkflowLog.Printf("Failed to convert imported pre-steps to typed steps: %v", err) + } else { + typedImported = ApplyActionPinsToTypedSteps(typedImported, workflowData) + importedPreSteps = StepsToSlice(typedImported) + } + } + } - // Apply action pinning to post-steps if any - if workflowData.PostSteps != "" { - var postStepsWrapper map[string]any - if err := yaml.Unmarshal([]byte(workflowData.PostSteps), &postStepsWrapper); err == nil { - if postStepsVal, hasPostSteps := postStepsWrapper["post-steps"]; hasPostSteps { - if postSteps, ok := postStepsVal.([]any); ok { - // Convert to typed steps for action pinning - typedPostSteps, err := SliceToSteps(postSteps) + // Parse main workflow pre-steps if present + var mainPreSteps []any + if mainPreStepsYAML != "" { + var mainWrapper map[string]any + if err := yaml.Unmarshal([]byte(mainPreStepsYAML), &mainWrapper); err == nil { + if mainVal, ok := mainWrapper["pre-steps"]; ok { + if steps, ok := mainVal.([]any); ok { + mainPreSteps = steps + typedMain, err := SliceToSteps(mainPreSteps) if err != nil { - orchestratorWorkflowLog.Printf("Failed to convert post-steps to typed steps: %v", err) + orchestratorWorkflowLog.Printf("Failed to convert main pre-steps to typed steps: %v", err) } else { - // Apply action pinning to post steps using type-safe version - typedPostSteps = ApplyActionPinsToTypedSteps(typedPostSteps, workflowData) - // Convert back to []any for YAML marshaling - postSteps = StepsToSlice(typedPostSteps) + typedMain = ApplyActionPinsToTypedSteps(typedMain, workflowData) + mainPreSteps = StepsToSlice(typedMain) } + } + } + } + } + + // Merge in order: imported pre-steps first, then main workflow's pre-steps + var allPreSteps []any + if len(importedPreSteps) > 0 || len(mainPreSteps) > 0 { + allPreSteps = append(allPreSteps, importedPreSteps...) + allPreSteps = append(allPreSteps, mainPreSteps...) + + stepsWrapper := map[string]any{"pre-steps": allPreSteps} + stepsYAML, err := yaml.Marshal(stepsWrapper) + if err == nil { + workflowData.PreSteps = unquoteUsesWithComments(string(stepsYAML)) + } + } +} + +// processAndMergePostSteps handles the processing and merging of post-steps with action pinning. +// Imported post-steps are appended after the main workflow's post-steps. +func (c *Compiler) processAndMergePostSteps(frontmatter map[string]any, workflowData *WorkflowData, importsResult *parser.ImportsResult) { + orchestratorWorkflowLog.Print("Processing and merging post-steps") - // Convert back to YAML with "post-steps:" wrapper - stepsWrapper := map[string]any{"post-steps": postSteps} - stepsYAML, err := yaml.Marshal(stepsWrapper) - if err == nil { - // Remove quotes from uses values with version comments - workflowData.PostSteps = unquoteUsesWithComments(string(stepsYAML)) + mainPostStepsYAML := c.extractTopLevelYAMLSection(frontmatter, "post-steps") + + // Parse imported post-steps if present (these go after the main workflow's post-steps) + var importedPostSteps []any + if importsResult.MergedPostSteps != "" { + if err := yaml.Unmarshal([]byte(importsResult.MergedPostSteps), &importedPostSteps); err != nil { + orchestratorWorkflowLog.Printf("Failed to unmarshal imported post-steps: %v", err) + } else { + typedImported, err := SliceToSteps(importedPostSteps) + if err != nil { + orchestratorWorkflowLog.Printf("Failed to convert imported post-steps to typed steps: %v", err) + } else { + typedImported = ApplyActionPinsToTypedSteps(typedImported, workflowData) + importedPostSteps = StepsToSlice(typedImported) + } + } + } + + // Parse main workflow post-steps if present + var mainPostSteps []any + if mainPostStepsYAML != "" { + var mainWrapper map[string]any + if err := yaml.Unmarshal([]byte(mainPostStepsYAML), &mainWrapper); err == nil { + if mainVal, ok := mainWrapper["post-steps"]; ok { + if steps, ok := mainVal.([]any); ok { + mainPostSteps = steps + typedMain, err := SliceToSteps(mainPostSteps) + if err != nil { + orchestratorWorkflowLog.Printf("Failed to convert main post-steps to typed steps: %v", err) + } else { + typedMain = ApplyActionPinsToTypedSteps(typedMain, workflowData) + mainPostSteps = StepsToSlice(typedMain) } } } } } + + // Merge in order: main workflow's post-steps first, then imported post-steps + var allPostSteps []any + if len(mainPostSteps) > 0 || len(importedPostSteps) > 0 { + allPostSteps = append(allPostSteps, mainPostSteps...) + allPostSteps = append(allPostSteps, importedPostSteps...) + + stepsWrapper := map[string]any{"post-steps": allPostSteps} + stepsYAML, err := yaml.Marshal(stepsWrapper) + if err == nil { + workflowData.PostSteps = unquoteUsesWithComments(string(stepsYAML)) + } + } } // processAndMergeServices handles the merging of imported services with main workflow services diff --git a/pkg/workflow/compiler_orchestrator_workflow_test.go b/pkg/workflow/compiler_orchestrator_workflow_test.go index 0887dbb6fef..1a75bb592fa 100644 --- a/pkg/workflow/compiler_orchestrator_workflow_test.go +++ b/pkg/workflow/compiler_orchestrator_workflow_test.go @@ -401,8 +401,9 @@ func TestProcessAndMergePostSteps_NoPostSteps(t *testing.T) { compiler := NewCompiler() workflowData := &WorkflowData{} frontmatter := map[string]any{} + importsResult := &parser.ImportsResult{} - compiler.processAndMergePostSteps(frontmatter, workflowData) + compiler.processAndMergePostSteps(frontmatter, workflowData, importsResult) assert.Empty(t, workflowData.PostSteps) } @@ -430,14 +431,105 @@ func TestProcessAndMergePostSteps_WithPostSteps(t *testing.T) { }, }, } + importsResult := &parser.ImportsResult{} - compiler.processAndMergePostSteps(frontmatter, workflowData) + compiler.processAndMergePostSteps(frontmatter, workflowData, importsResult) assert.NotEmpty(t, workflowData.PostSteps) assert.Contains(t, workflowData.PostSteps, "Cleanup") assert.Contains(t, workflowData.PostSteps, "Upload logs") } +// TestProcessAndMergePostSteps_WithImportedPostSteps tests that imported post-steps are appended +func TestProcessAndMergePostSteps_WithImportedPostSteps(t *testing.T) { + compiler := NewCompiler() + workflowData := &WorkflowData{} + + frontmatter := map[string]any{ + "post-steps": []any{ + map[string]any{"name": "Main post step", "run": "echo 'main'"}, + }, + } + + importedPostStepsYAML, err := yaml.Marshal([]any{ + map[string]any{"name": "Imported post step", "run": "echo 'imported'"}, + }) + require.NoError(t, err, "yaml.Marshal should not fail for well-formed post-steps") + importsResult := &parser.ImportsResult{ + MergedPostSteps: string(importedPostStepsYAML), + } + + compiler.processAndMergePostSteps(frontmatter, workflowData, importsResult) + + assert.Contains(t, workflowData.PostSteps, "Main post step") + assert.Contains(t, workflowData.PostSteps, "Imported post step") + + // Main workflow's post-steps should come before imported ones + mainIdx := strings.Index(workflowData.PostSteps, "Main post step") + importedIdx := strings.Index(workflowData.PostSteps, "Imported post step") + assert.Less(t, mainIdx, importedIdx, "Main post-steps should come before imported ones") +} + +// TestProcessAndMergePreSteps_NoPreSteps tests processAndMergePreSteps with no pre-steps +func TestProcessAndMergePreSteps_NoPreSteps(t *testing.T) { + compiler := NewCompiler() + workflowData := &WorkflowData{} + frontmatter := map[string]any{} + importsResult := &parser.ImportsResult{} + + compiler.processAndMergePreSteps(frontmatter, workflowData, importsResult) + + assert.Empty(t, workflowData.PreSteps) +} + +// TestProcessAndMergePreSteps_WithPreSteps tests processAndMergePreSteps with pre-steps defined +func TestProcessAndMergePreSteps_WithPreSteps(t *testing.T) { + compiler := NewCompiler() + workflowData := &WorkflowData{} + + frontmatter := map[string]any{ + "pre-steps": []any{ + map[string]any{"name": "Mint token", "run": "echo 'minting'"}, + }, + } + importsResult := &parser.ImportsResult{} + + compiler.processAndMergePreSteps(frontmatter, workflowData, importsResult) + + assert.NotEmpty(t, workflowData.PreSteps) + assert.Contains(t, workflowData.PreSteps, "Mint token") +} + +// TestProcessAndMergePreSteps_WithImportedPreSteps tests that imported pre-steps are prepended +func TestProcessAndMergePreSteps_WithImportedPreSteps(t *testing.T) { + compiler := NewCompiler() + workflowData := &WorkflowData{} + + frontmatter := map[string]any{ + "pre-steps": []any{ + map[string]any{"name": "Main pre step", "run": "echo 'main'"}, + }, + } + + importedPreStepsYAML, err := yaml.Marshal([]any{ + map[string]any{"name": "Imported pre step", "run": "echo 'imported'"}, + }) + require.NoError(t, err, "yaml.Marshal should not fail for well-formed pre-steps") + importsResult := &parser.ImportsResult{ + MergedPreSteps: string(importedPreStepsYAML), + } + + compiler.processAndMergePreSteps(frontmatter, workflowData, importsResult) + + assert.Contains(t, workflowData.PreSteps, "Main pre step") + assert.Contains(t, workflowData.PreSteps, "Imported pre step") + + // Imported pre-steps should come before the main workflow's pre-steps + importedIdx := strings.Index(workflowData.PreSteps, "Imported pre step") + mainIdx := strings.Index(workflowData.PreSteps, "Main pre step") + assert.Less(t, importedIdx, mainIdx, "Imported pre-steps should come before main pre-steps") +} + // TestProcessAndMergeServices_NoServices tests processAndMergeServices with no services func TestProcessAndMergeServices_NoServices(t *testing.T) { compiler := NewCompiler() diff --git a/pkg/workflow/compiler_presteps_test.go b/pkg/workflow/compiler_presteps_test.go new file mode 100644 index 00000000000..53773b8cc94 --- /dev/null +++ b/pkg/workflow/compiler_presteps_test.go @@ -0,0 +1,288 @@ +//go:build !integration + +package workflow + +import ( + "os" + "path/filepath" + "strings" + "testing" + + "github.com/github/gh-aw/pkg/testutil" +) + +// TestPreStepsGeneration verifies that pre-steps are emitted before checkout and all +// other built-in steps in the agent job. +func TestPreStepsGeneration(t *testing.T) { + tmpDir := testutil.TempDir(t, "pre-steps-test") + + testContent := `--- +on: push +permissions: + contents: read + issues: read + pull-requests: read +tools: + github: + allowed: [list_issues] +pre-steps: + - name: Mint short-lived token + id: mint + uses: some-org/token-minting-action@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 + with: + scope: target-org/target-repo +steps: + - name: Custom Setup Step + run: echo "Custom setup" +post-steps: + - name: Post AI Step + run: echo "This runs after AI" +engine: claude +strict: false +--- + +# Test Pre-Steps Workflow + +This workflow tests the pre-steps functionality. +` + + testFile := filepath.Join(tmpDir, "test-pre-steps.md") + if err := os.WriteFile(testFile, []byte(testContent), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Unexpected error compiling workflow with pre-steps: %v", err) + } + + lockFile := filepath.Join(tmpDir, "test-pre-steps.lock.yml") + content, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read generated lock file: %v", err) + } + + lockContent := string(content) + + // Verify all three step types appear (check name value, not "- name:" prefix + // since steps with an id field have id: first in the YAML output) + if !strings.Contains(lockContent, "name: Mint short-lived token") { + t.Error("Expected pre-step 'Mint short-lived token' to be in generated workflow") + } + if !strings.Contains(lockContent, "name: Custom Setup Step") { + t.Error("Expected custom step 'Custom Setup Step' to be in generated workflow") + } + if !strings.Contains(lockContent, "name: Post AI Step") { + t.Error("Expected post-step 'Post AI Step' to be in generated workflow") + } + + // Pre-steps must appear before checkout, custom steps, and AI execution + preStepIndex := indexInNonCommentLines(lockContent, "name: Mint short-lived token") + checkoutIndex := indexInNonCommentLines(lockContent, "- name: Checkout repository") + customStepIndex := indexInNonCommentLines(lockContent, "- name: Custom Setup Step") + aiStepIndex := indexInNonCommentLines(lockContent, "- name: Execute Claude Code CLI") + postStepIndex := indexInNonCommentLines(lockContent, "- name: Post AI Step") + + if preStepIndex == -1 { + t.Fatal("Could not find pre-step in generated workflow") + } + if checkoutIndex == -1 { + t.Fatal("Could not find checkout step in generated workflow") + } + if customStepIndex == -1 { + t.Fatal("Could not find custom step in generated workflow") + } + if aiStepIndex == -1 { + t.Fatal("Could not find AI execution step in generated workflow") + } + if postStepIndex == -1 { + t.Fatal("Could not find post-step in generated workflow") + } + + if preStepIndex >= checkoutIndex { + t.Errorf("Pre-step (%d) should appear before checkout step (%d)", preStepIndex, checkoutIndex) + } + if preStepIndex >= customStepIndex { + t.Errorf("Pre-step (%d) should appear before custom step (%d)", preStepIndex, customStepIndex) + } + if preStepIndex >= aiStepIndex { + t.Errorf("Pre-step (%d) should appear before AI execution step (%d)", preStepIndex, aiStepIndex) + } + if postStepIndex <= aiStepIndex { + t.Errorf("Post-step (%d) should appear after AI execution step (%d)", postStepIndex, aiStepIndex) + } + + t.Logf("Step order verified: pre-step(%d) < checkout(%d) < custom(%d) < AI(%d) < post(%d)", + preStepIndex, checkoutIndex, customStepIndex, aiStepIndex, postStepIndex) +} + +// TestPreStepsTokenAvailableForCheckout verifies that a token minted in a pre-step +// can be referenced in checkout.token via a steps expression, avoiding the cross-job +// masked-value issue. +func TestPreStepsTokenAvailableForCheckout(t *testing.T) { + tmpDir := testutil.TempDir(t, "pre-steps-token-test") + + testContent := `--- +on: workflow_dispatch +permissions: + contents: read + id-token: write +pre-steps: + - name: Mint token + id: mint + uses: some-org/token-action@b1c2d3e4f5a6b1c2d3e4f5a6b1c2d3e4f5a6b1c2 + with: + scope: target-org/target-repo +checkout: + - repository: target-org/target-repo + path: target + token: ${{ steps.mint.outputs.token }} + current: false + - path: . +engine: claude +strict: false +--- + +Read a file from the checked-out repo. +` + + testFile := filepath.Join(tmpDir, "test-pre-steps-token.md") + if err := os.WriteFile(testFile, []byte(testContent), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Unexpected error compiling workflow: %v", err) + } + + lockFile := filepath.Join(tmpDir, "test-pre-steps-token.lock.yml") + content, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read generated lock file: %v", err) + } + + lockContent := string(content) + + // The minting step must appear in the agent job + agentJobSection := extractJobSection(lockContent, "agent") + if agentJobSection == "" { + t.Fatal("Agent job section not found in generated workflow") + } + + if !strings.Contains(agentJobSection, "name: Mint token") { + t.Error("Expected pre-step 'Mint token' to be in the agent job") + } + + // The token reference must appear in the checkout step + if !strings.Contains(agentJobSection, "steps.mint.outputs.token") { + t.Error("Expected steps.mint.outputs.token reference in agent job checkout step") + } + + // The pre-step must appear before the checkout step + mintIndex := indexInNonCommentLines(agentJobSection, "name: Mint token") + checkoutIndex := indexInNonCommentLines(agentJobSection, "- name: Checkout target-org/target-repo into target") + if mintIndex == -1 { + t.Fatal("Could not find mint step in agent job") + } + if checkoutIndex == -1 { + t.Fatal("Could not find cross-repo checkout step in agent job") + } + if mintIndex >= checkoutIndex { + t.Errorf("Pre-step mint (%d) should appear before cross-repo checkout (%d)", mintIndex, checkoutIndex) + } +} + +// TestPreStepsOnly verifies that a workflow with only pre-steps (no custom steps or post-steps) +// compiles correctly. +func TestPreStepsOnly(t *testing.T) { + tmpDir := testutil.TempDir(t, "pre-steps-only-test") + + testContent := `--- +on: issues +permissions: + contents: read + issues: read +pre-steps: + - name: Only Pre Step + run: echo "This runs before checkout" +engine: claude +strict: false +--- + +# Test Pre-Steps Only Workflow + +This workflow tests pre-steps without custom steps or post-steps. +` + + testFile := filepath.Join(tmpDir, "test-pre-steps-only.md") + if err := os.WriteFile(testFile, []byte(testContent), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Unexpected error compiling workflow with pre-steps only: %v", err) + } + + lockFile := filepath.Join(tmpDir, "test-pre-steps-only.lock.yml") + content, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read generated lock file: %v", err) + } + + lockContent := string(content) + + if !strings.Contains(lockContent, "- name: Only Pre Step") { + t.Error("Expected pre-step 'Only Pre Step' to be in generated workflow") + } + + // Default checkout must still be present and after the pre-step + preStepIndex := indexInNonCommentLines(lockContent, "- name: Only Pre Step") + checkoutIndex := indexInNonCommentLines(lockContent, "- name: Checkout repository") + aiStepIndex := indexInNonCommentLines(lockContent, "- name: Execute Claude Code CLI") + + if preStepIndex == -1 { + t.Fatal("Could not find pre-step in generated workflow") + } + if checkoutIndex == -1 { + t.Error("Expected default checkout step to still be present") + } + if aiStepIndex == -1 { + t.Fatal("Could not find AI execution step in generated workflow") + } + + if checkoutIndex != -1 && preStepIndex >= checkoutIndex { + t.Errorf("Pre-step (%d) should appear before checkout step (%d)", preStepIndex, checkoutIndex) + } + if preStepIndex >= aiStepIndex { + t.Errorf("Pre-step (%d) should appear before AI execution step (%d)", preStepIndex, aiStepIndex) + } +} + +// TestPreStepsSecretsValidation verifies that secrets in pre-steps trigger the same +// strict-mode error and non-strict warning as secrets in steps and post-steps. +func TestPreStepsSecretsValidation(t *testing.T) { + compiler := NewCompiler() + compiler.strictMode = true + + frontmatter := map[string]any{ + "pre-steps": []any{ + map[string]any{ + "name": "Use secret in pre-step", + "run": "echo ${{ secrets.MY_SECRET }}", + }, + }, + } + + err := compiler.validateStepsSecrets(frontmatter) + if err == nil { + t.Error("Expected strict-mode error for secrets in pre-steps but got nil") + } + if !strings.Contains(err.Error(), "pre-steps") { + t.Errorf("Expected error to mention 'pre-steps', got: %v", err) + } +} diff --git a/pkg/workflow/compiler_types.go b/pkg/workflow/compiler_types.go index dd9c1ad6e48..0245de556d7 100644 --- a/pkg/workflow/compiler_types.go +++ b/pkg/workflow/compiler_types.go @@ -424,6 +424,7 @@ type WorkflowData struct { If string TimeoutMinutes string CustomSteps string + PreSteps string // steps to run at the very start of the agent job, before checkout PostSteps string // steps to run after AI execution RunsOn string RunsOnSlim string // runner override for all framework/generated jobs (activation, safe-outputs, unlock, etc.) diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index c4d56475ba3..b42a6f94ab5 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -603,27 +603,32 @@ func writePromptBashStep(yaml *strings.Builder, name, script string) { fmt.Fprintf(yaml, " run: bash ${RUNNER_TEMP}/gh-aw/actions/%s\n", script) } +func (c *Compiler) generatePreSteps(yaml *strings.Builder, data *WorkflowData) { + writeStepsSection(yaml, data.PreSteps) +} + func (c *Compiler) generatePostSteps(yaml *strings.Builder, data *WorkflowData) { - if data.PostSteps != "" { - // Remove "post-steps:" line and adjust indentation, similar to CustomSteps processing - lines := strings.Split(data.PostSteps, "\n") - if len(lines) > 1 { - for _, line := range lines[1:] { - // Trim trailing whitespace - trimmed := strings.TrimRight(line, " ") - // Skip empty lines - if strings.TrimSpace(trimmed) == "" { - yaml.WriteString("\n") - continue - } - // Steps need 6-space indentation ( - name:) - // Nested properties need 8-space indentation ( run:) - if strings.HasPrefix(line, " ") { - yaml.WriteString(" " + line[2:] + "\n") - } else { - yaml.WriteString(" " + line + "\n") - } - } + writeStepsSection(yaml, data.PostSteps) +} + +// writeStepsSection writes a steps section (pre-steps or post-steps) to the YAML builder, +// stripping the header line and normalising indentation to match the agent job step format: +// top-level items get 6-space indent ( - name:) and nested properties get 8-space indent ( run:). +func writeStepsSection(yaml *strings.Builder, stepsYAML string) { + if stepsYAML == "" { + return + } + lines := strings.Split(stepsYAML, "\n") + for _, line := range lines[1:] { // skip the "pre-steps:" / "post-steps:" header line + trimmed := strings.TrimRight(line, " ") + if strings.TrimSpace(trimmed) == "" { + yaml.WriteString("\n") + continue + } + if strings.HasPrefix(line, " ") { + yaml.WriteString(" " + line[2:] + "\n") + } else { + yaml.WriteString(" " + line + "\n") } } } diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index 392040f3b60..6d99417089c 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -20,6 +20,15 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat yaml.WriteString(generateOTLPHeadersMaskStep()) } + // Add pre-steps before checkout and the subsequent built-in steps in this agent job. + // This allows users to mint short-lived tokens (via custom actions) in the same + // job as checkout, so the tokens are never dropped by the GitHub Actions runner's + // add-mask behaviour that silently suppresses masked values across job boundaries. + // Step outputs are available as ${{ steps..outputs. }} and can be + // referenced directly in checkout.token. Some compiler-injected setup steps may + // still be emitted earlier than these pre-steps. + c.generatePreSteps(yaml, data) + // Determine if we need to add a checkout step needsCheckout := c.shouldAddCheckoutStep(data) compilerYamlLog.Printf("Checkout step needed: %t", needsCheckout) diff --git a/pkg/workflow/frontmatter_types.go b/pkg/workflow/frontmatter_types.go index e0d8a38f0fe..0bd65c9f2ab 100644 --- a/pkg/workflow/frontmatter_types.go +++ b/pkg/workflow/frontmatter_types.go @@ -187,6 +187,7 @@ type FrontmatterConfig struct { RunsOn string `json:"runs-on,omitempty"` RunsOnSlim string `json:"runs-on-slim,omitempty"` // Runner for all framework/generated jobs (activation, safe-outputs, unlock, etc.) RunName string `json:"run-name,omitempty"` + PreSteps []any `json:"pre-steps,omitempty"` // Pre-workflow steps (run before checkout) Steps []any `json:"steps,omitempty"` // Custom workflow steps PostSteps []any `json:"post-steps,omitempty"` // Post-workflow steps Environment map[string]any `json:"environment,omitempty"` // GitHub environment @@ -666,6 +667,9 @@ func (fc *FrontmatterConfig) ToMap() map[string]any { if fc.RunName != "" { result["run-name"] = fc.RunName } + if fc.PreSteps != nil { + result["pre-steps"] = fc.PreSteps + } if fc.Steps != nil { result["steps"] = fc.Steps } diff --git a/pkg/workflow/strict_mode_steps_validation.go b/pkg/workflow/strict_mode_steps_validation.go index 815758e59ca..d3fb14c7f6b 100644 --- a/pkg/workflow/strict_mode_steps_validation.go +++ b/pkg/workflow/strict_mode_steps_validation.go @@ -19,13 +19,13 @@ import ( "github.com/github/gh-aw/pkg/sliceutil" ) -// validateStepsSecrets checks both the "steps" and "post-steps" frontmatter sections +// validateStepsSecrets checks the "pre-steps", "steps", and "post-steps" frontmatter sections // for secrets expressions (e.g. ${{ secrets.MY_SECRET }}). // // In strict mode the presence of any such expression is treated as an error. // In non-strict mode a warning is emitted instead. func (c *Compiler) validateStepsSecrets(frontmatter map[string]any) error { - for _, sectionName := range []string{"steps", "post-steps"} { + for _, sectionName := range []string{"pre-steps", "steps", "post-steps"} { if err := c.validateStepsSectionSecrets(frontmatter, sectionName); err != nil { return err } diff --git a/scratchpad/dev.md b/scratchpad/dev.md index 1e5142ae24f..d04959830aa 100644 --- a/scratchpad/dev.md +++ b/scratchpad/dev.md @@ -1,7 +1,7 @@ # Developer Instructions -**Version**: 5.4 -**Last Updated**: 2026-04-07 +**Version**: 5.5 +**Last Updated**: 2026-04-08 **Purpose**: Consolidated development guidelines for GitHub Agentic Workflows This document consolidates specifications from the scratchpad directory into unified developer instructions. It provides architecture patterns, security guidelines, code organization rules, and testing practices. @@ -1915,6 +1915,50 @@ Enable debug logging to trace transformations: DEBUG=workflow:expression_extraction gh aw compile workflow.md ``` +### WorkQueueOps Pattern + +WorkQueueOps processes a backlog of work items incrementally — surviving interruptions, rate limits, and multi-day horizons. Use it when operations are idempotent and progress visibility matters. Four queue strategies are available: + +| Strategy | Backend | Best For | +|----------|---------|----------| +| Issue Checklist | GitHub issue checkboxes | Small batches (< 100 items), human-readable | +| Sub-Issues | Sub-issues of a parent tracking issue | Hundreds of items with per-item discussion threads | +| Cache-Memory | JSON file in `/tmp/gh-aw/cache-memory/` | Large queues, multi-day horizons, programmatic items | +| Discussion Queue | GitHub Discussion unresolved replies | Community-sourced queues, async collaboration | + +**Idempotency requirements**: All WorkQueueOps workflows must be idempotent. Use `concurrency.group` with `cancel-in-progress: false` to prevent parallel runs processing the same item. Check current state before acting (label present? comment exists?). + +**Concurrency control**: Set `concurrency.group` scoped to the queue identifier (e.g., `workqueue-${{ inputs.queue_issue }}`). + +**Cache-memory filename convention**: Use filesystem-safe timestamps (`YYYY-MM-DD-HH-MM-SS-sss`, no colons) in filenames. + +See `docs/src/content/docs/patterns/workqueue-ops.md` for complete examples. + +### BatchOps Pattern + +BatchOps processes large volumes of independent work items efficiently by splitting work into chunks and parallelizing where possible. Use it when items are independent and throughput matters over ordering. + +**When to use BatchOps vs WorkQueueOps**: + +| Scenario | Pattern | +|----------|---------| +| < 50 items, order matters | WorkQueueOps | +| 50–500 items, order doesn't matter | BatchOps (chunked) | +| > 500 items, high parallelism safe | BatchOps (matrix fan-out) | +| Items have dependencies | WorkQueueOps | +| Strict rate limits | BatchOps (rate-limit-aware) | + +Four batch strategies are available: + +- **Chunked processing**: Split by `GITHUB_RUN_NUMBER` page offset; each scheduled run processes one page with a stable sort key +- **Fan-out with matrix**: Use GitHub Actions `matrix` to run parallel shards; assign items by `issue_number % total_shards`; set `fail-fast: false` +- **Rate-limit-aware**: Process items in sub-batches with explicit pauses; on HTTP 429 pause 60 seconds and retry once +- **Result aggregation**: Collect results from multiple runs via cache-memory; aggregate into a summary issue + +**Error handling**: Track `retry_count` per failed item; after 3 failures move to `permanently_failed` for human review. Write per-item results before advancing to the next item. + +See `docs/src/content/docs/patterns/batch-ops.md` for complete examples. + --- ## MCP Integration @@ -2737,6 +2781,8 @@ These files are loaded automatically by compatible AI tools (e.g., GitHub Copilo - [Safe Output Handler Factory Pattern](./safe-output-handlers-refactoring.md) - Refactoring status for all 11 safe output handlers to the handler factory pattern (`main(config)` returns a message handler function): per-handler status, testing strategy, and handler manager compatibility - [Serena Tools Statistical Analysis](./serena-tools-analysis.md) - Deep statistical analysis of Serena MCP tool usage in workflow run 21560089409: tool adoption rates (26% of registered tools used), call distributions, and unused tool identification - [GitHub API Rate Limit Observability](./github-rate-limit-observability.md) - JSONL artifact logging and OTLP span enrichment for GitHub API rate-limit visibility: `github_rate_limit_logger.cjs` helper, three usage patterns, artifact upload paths, and `jq` debugging commands +- [WorkQueueOps Design Pattern](../docs/src/content/docs/patterns/workqueue-ops.md) - Four queue strategies (issue checklist, sub-issues, cache-memory, discussion-based) for incremental backlog processing: idempotency requirements, concurrency control, and retry budgets +- [BatchOps Design Pattern](../docs/src/content/docs/patterns/batch-ops.md) - Four batch strategies (chunked, matrix fan-out, rate-limit-aware, result aggregation) for high-volume parallel processing: shard assignment, partial failure handling, and real-world label migration example ### External References @@ -2748,6 +2794,7 @@ These files are loaded automatically by compatible AI tools (e.g., GitHub Copilo --- **Document History**: +- v5.5 (2026-04-08): Added WorkQueueOps and BatchOps design pattern subsections to Workflow Patterns (from PR #25178: four queue strategies — issue checklist, sub-issues, cache-memory, discussion-based; four batch strategies — chunked, matrix fan-out, rate-limit-aware, result aggregation). Added 2 new Related Documentation links for `docs/src/content/docs/patterns/workqueue-ops.md` and `batch-ops.md`. Coverage: 75 spec files (2 new pattern docs). - v5.4 (2026-04-07): Added `gh-aw.github.rate_limit.reset` OTLP span attribute to GitHub API Rate Limit Observability section (from PR #25061: ISO 8601 reset timestamp now included in conclusion spans). Coverage: 73 spec files (no new spec files). - v5.3 (2026-04-05): Added GitHub API Rate Limit Observability subsection to MCP Integration (from PR #24694: `github_rate_limit_logger.cjs`, `GithubRateLimitsFilename` constant, artifact upload paths, OTLP span enrichment). Created new spec file `scratchpad/github-rate-limit-observability.md`. Added 1 new Related Documentation link. Coverage: 73 spec files (1 new). - v5.2 (2026-04-04): Added Secrets in Custom Steps Validation subsection to Compiler Validation (from PR #24450: `pkg/workflow/strict_mode_steps_validation.go`). Documents `validateStepsSecrets()` behavior in strict vs. non-strict mode, `secrets.GITHUB_TOKEN` exemption, and migration guidance. Coverage: 72 spec files (no new spec files; new Go implementation only). From af745cae1d9ccc2fbd3c333878e5b0192afeb99b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Apr 2026 12:36:28 +0000 Subject: [PATCH 3/6] fix: address runner_guard review comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix strict mode: exit code 1 fails even when JSON parsing fails - Fix path traversal guard: use == ".." and HasPrefix("../") to avoid rejecting legitimate "..foo" paths within the repo - Fix Docker scan scope: pass workflowDir relative to gitRoot as scan target instead of always scanning "." (the full repo root) - Add runner_guard_test.go: JSON parsing, severity→errorType mapping, path sanitization behavior - Add docker_images_test.go test for useRunnerGuard=true (image downloading) Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7ced1697-6262-4a36-8d0d-c66db06a819a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/docker_images_test.go | 33 ++++ pkg/cli/runner_guard.go | 32 ++- pkg/cli/runner_guard_test.go | 353 ++++++++++++++++++++++++++++++++++ 3 files changed, 411 insertions(+), 7 deletions(-) create mode 100644 pkg/cli/runner_guard_test.go diff --git a/pkg/cli/docker_images_test.go b/pkg/cli/docker_images_test.go index 5a280dcfc27..33022ac9955 100644 --- a/pkg/cli/docker_images_test.go +++ b/pkg/cli/docker_images_test.go @@ -588,3 +588,36 @@ func TestCheckAndPrepareDockerImages_DockerUnavailable_ReturnsTypedError(t *test // Clean up ResetDockerPullState() } + +func TestCheckAndPrepareDockerImages_RunnerGuardImageDownloading(t *testing.T) { + // Reset state before test + ResetDockerPullState() + + // Mock runner-guard image as not available + SetMockImageAvailable(RunnerGuardImage, false) + + // Simulate multiple images already downloading + SetDockerImageDownloading(ZizmorImage, true) + SetDockerImageDownloading(PoutineImage, true) + SetDockerImageDownloading(RunnerGuardImage, true) + + // Request all tools, including runner-guard + err := CheckAndPrepareDockerImages(context.Background(), true, true, true, true) + if err == nil { + t.Error("Expected error when images are downloading, got nil") + } + + // Error should mention downloading images and runner-guard + if err != nil { + errMsg := err.Error() + if !strings.Contains(errMsg, "downloading") && !strings.Contains(errMsg, "retry") { + t.Errorf("Expected error to mention downloading and retry, got: %s", errMsg) + } + if !strings.Contains(errMsg, RunnerGuardImage) && !strings.Contains(errMsg, "runner-guard") { + t.Errorf("Expected error to mention runner-guard image %q or \"runner-guard\", got: %s", RunnerGuardImage, errMsg) + } + } + + // Clean up + ResetDockerPullState() +} diff --git a/pkg/cli/runner_guard.go b/pkg/cli/runner_guard.go index 9717f6deed2..5a63067ee98 100644 --- a/pkg/cli/runner_guard.go +++ b/pkg/cli/runner_guard.go @@ -51,8 +51,18 @@ func runRunnerGuardOnDirectory(workflowDir string, verbose bool, strict bool) er return fmt.Errorf("git root is not an absolute path: %s", gitRoot) } + // Determine the scan path: use workflowDir relative to gitRoot when possible, + // so the scan is scoped to the compiled workflows directory. + scanPath := "." + if workflowDir != "" { + relDir, relErr := filepath.Rel(gitRoot, workflowDir) + if relErr == nil && relDir != ".." && !strings.HasPrefix(relDir, ".."+string(filepath.Separator)) { + scanPath = relDir + } + } + // Build the Docker command - // docker run --rm -v "$gitRoot:/workdir" -w /workdir ghcr.io/vigilant-llc/runner-guard:v3.0.1 scan . --format json + // docker run --rm -v "$gitRoot:/workdir" -w /workdir ghcr.io/vigilant-llc/runner-guard:v3.0.1 scan --format json // #nosec G204 -- gitRoot comes from git rev-parse (trusted source) and is validated as absolute path. // exec.Command with separate args (not shell execution) prevents command injection. cmd := exec.Command( @@ -63,7 +73,7 @@ func runRunnerGuardOnDirectory(workflowDir string, verbose bool, strict bool) er "-w", "/workdir", RunnerGuardImage, "scan", - ".", + scanPath, "--format", "json", ) @@ -72,8 +82,8 @@ func runRunnerGuardOnDirectory(workflowDir string, verbose bool, strict bool) er // In verbose mode, also show the command that users can run directly if verbose { - dockerCmd := fmt.Sprintf("docker run --rm -v \"%s:/workdir\" -w /workdir %s scan . --format json", - gitRoot, RunnerGuardImage) + dockerCmd := fmt.Sprintf("docker run --rm -v \"%s:/workdir\" -w /workdir %s scan %s --format json", + gitRoot, RunnerGuardImage, scanPath) fmt.Fprintf(os.Stderr, "%s\n", console.FormatInfoMessage("Run runner-guard directly: "+dockerCmd)) } @@ -106,8 +116,16 @@ func runRunnerGuardOnDirectory(workflowDir string, verbose bool, strict bool) er runnerGuardLog.Printf("runner-guard exited with code %d (findings=%d)", exitCode, totalFindings) // Exit code 1 typically indicates findings in the repository if exitCode == 1 { - if strict && totalFindings > 0 { - return fmt.Errorf("strict mode: runner-guard found %d security findings - workflows must have no runner-guard findings in strict mode", totalFindings) + if strict { + if parseErr != nil { + // JSON parsing failed but exit code confirms findings exist + return fmt.Errorf("strict mode: runner-guard exited with code 1 (findings present) and output could not be parsed: %w", parseErr) + } + if totalFindings > 0 { + return fmt.Errorf("strict mode: runner-guard found %d security findings - workflows must have no runner-guard findings in strict mode", totalFindings) + } + // Exit code 1 with no parseable findings is still a failure in strict mode + return errors.New("strict mode: runner-guard exited with code 1 indicating findings are present") } // In non-strict mode, findings are logged but not treated as errors return nil @@ -184,7 +202,7 @@ func parseAndDisplayRunnerGuardOutput(stdout string, verbose bool, gitRoot strin // Check if the resolved path is within gitRoot to prevent path traversal relPath, err := filepath.Rel(absGitRoot, absPath) - if err != nil || strings.HasPrefix(relPath, "..") { + if err != nil || relPath == ".." || strings.HasPrefix(relPath, ".."+string(filepath.Separator)) { runnerGuardLog.Printf("Skipping file outside git root: %s", filePath) continue } diff --git a/pkg/cli/runner_guard_test.go b/pkg/cli/runner_guard_test.go new file mode 100644 index 00000000000..60fae8c8c0f --- /dev/null +++ b/pkg/cli/runner_guard_test.go @@ -0,0 +1,353 @@ +//go:build !integration + +package cli + +import ( + "bytes" + "os" + "strings" + "testing" +) + +func TestParseAndDisplayRunnerGuardOutput(t *testing.T) { + tests := []struct { + name string + stdout string + verbose bool + expectedOutput []string + expectError bool + expectedCount int + }{ + { + name: "single high severity finding", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-001", + "name": "Unsafe Runner Usage", + "severity": "high", + "description": "Runner pulls from untrusted source", + "remediation": "Pin runner image digest", + "file": ".github/workflows/test.lock.yml", + "line": 15 + } + ] +}`, + expectedOutput: []string{ + ".github/workflows/test.lock.yml:15:1", + "error", + "RGS-001", + "Unsafe Runner Usage", + "Runner pulls from untrusted source", + }, + expectError: false, + expectedCount: 1, + }, + { + name: "critical severity maps to error type", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-002", + "name": "Critical Finding", + "severity": "critical", + "description": "Dangerous configuration", + "file": ".github/workflows/test.lock.yml", + "line": 10 + } + ] +}`, + expectedOutput: []string{ + "error", + "RGS-002", + "Critical Finding", + }, + expectError: false, + expectedCount: 1, + }, + { + name: "note severity maps to info type", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-003", + "name": "Informational Finding", + "severity": "note", + "description": "Minor configuration note", + "file": ".github/workflows/test.lock.yml", + "line": 5 + } + ] +}`, + expectedOutput: []string{ + "info", + "RGS-003", + "Informational Finding", + }, + expectError: false, + expectedCount: 1, + }, + { + name: "info severity maps to info type", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-004", + "name": "Info Finding", + "severity": "info", + "file": ".github/workflows/test.lock.yml", + "line": 5 + } + ] +}`, + expectedOutput: []string{ + "info", + "RGS-004", + }, + expectError: false, + expectedCount: 1, + }, + { + name: "warning severity maps to warning type", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-005", + "name": "Warning Finding", + "severity": "warning", + "description": "A warning", + "file": ".github/workflows/test.lock.yml", + "line": 20 + } + ] +}`, + expectedOutput: []string{ + "warning", + "RGS-005", + }, + expectError: false, + expectedCount: 1, + }, + { + name: "finding with score and grade displayed", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-001", + "name": "Finding", + "severity": "high", + "file": ".github/workflows/test.lock.yml", + "line": 5 + } + ], + "score": 80, + "grade": "B" +}`, + expectedOutput: []string{ + "Runner-Guard Score: 80/100 (Grade: B)", + "RGS-001", + }, + expectError: false, + expectedCount: 1, + }, + { + name: "finding without line number defaults to 1", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-006", + "name": "No Line Finding", + "severity": "high", + "file": ".github/workflows/test.lock.yml", + "line": 0 + } + ] +}`, + expectedOutput: []string{ + ".github/workflows/test.lock.yml:1:1", + "RGS-006", + }, + expectError: false, + expectedCount: 1, + }, + { + name: "multiple findings", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-001", + "name": "First Finding", + "severity": "high", + "file": ".github/workflows/test.lock.yml", + "line": 10 + }, + { + "rule_id": "RGS-002", + "name": "Second Finding", + "severity": "warning", + "file": ".github/workflows/test.lock.yml", + "line": 20 + } + ] +}`, + expectedOutput: []string{ + "RGS-001", + "First Finding", + "RGS-002", + "Second Finding", + }, + expectError: false, + expectedCount: 2, + }, + { + name: "no findings returns zero count", + stdout: `{ + "findings": [] +}`, + expectedOutput: []string{}, + expectError: false, + expectedCount: 0, + }, + { + name: "empty output returns zero count", + stdout: "", + expectedOutput: []string{}, + expectError: false, + expectedCount: 0, + }, + { + name: "invalid JSON returns error", + stdout: "not valid json", + expectedOutput: []string{}, + expectError: true, + expectedCount: 0, + }, + { + name: "finding without description omits description from message", + stdout: `{ + "findings": [ + { + "rule_id": "RGS-007", + "name": "No Description", + "severity": "high", + "description": "", + "file": ".github/workflows/test.lock.yml", + "line": 5 + } + ] +}`, + expectedOutput: []string{ + "[high] RGS-007: No Description", + }, + expectError: false, + expectedCount: 1, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Capture stderr output + oldStderr := os.Stderr + r, w, _ := os.Pipe() + os.Stderr = w + + // Use a temp dir as gitRoot (no actual files — context display is skipped gracefully) + tmpDir := t.TempDir() + count, err := parseAndDisplayRunnerGuardOutput(tt.stdout, tt.verbose, tmpDir) + + // Restore stderr + w.Close() + os.Stderr = oldStderr + + // Read captured output + var buf bytes.Buffer + buf.ReadFrom(r) + output := buf.String() + + // Check error expectation + if tt.expectError && err == nil { + t.Errorf("Expected an error but got none") + } + if !tt.expectError && err != nil { + t.Errorf("Unexpected error: %v", err) + } + + // Verify finding count + if count != tt.expectedCount { + t.Errorf("Expected count %d, got %d", tt.expectedCount, count) + } + + // Check expected output strings + for _, expected := range tt.expectedOutput { + if !strings.Contains(output, expected) { + t.Errorf("Expected output to contain %q, got:\n%s", expected, output) + } + } + }) + } +} + +func TestRunnerGuardPathTraversalGuard(t *testing.T) { + tests := []struct { + name string + filePath string + skip bool // whether the finding should be skipped (outside git root) + }{ + { + name: "normal workflow file", + filePath: ".github/workflows/test.lock.yml", + skip: false, + }, + { + name: "file outside git root via ..", + filePath: "../outside/file.yml", + skip: true, + }, + { + name: "file with .. prefix but inside root", + filePath: "..foo/file.yml", // should NOT be skipped — not a parent traversal + skip: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tmpDir := t.TempDir() + + stdout := `{"findings":[{"rule_id":"RGS-TEST","name":"Test","severity":"high","file":"` + + tt.filePath + `","line":1}]}` + + oldStderr := os.Stderr + r, w, _ := os.Pipe() + os.Stderr = w + + count, err := parseAndDisplayRunnerGuardOutput(stdout, false, tmpDir) + + w.Close() + os.Stderr = oldStderr + + var buf bytes.Buffer + buf.ReadFrom(r) + output := buf.String() + + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + + if tt.skip { + // Skipped findings still count toward totalFindings but won't appear in output + // The finding is parsed (count=1) but display is skipped + if count != 1 { + t.Errorf("Expected count 1 (finding parsed even if skipped for display), got %d", count) + } + if strings.Contains(output, "RGS-TEST") { + t.Errorf("Expected skipped finding not to appear in output, got:\n%s", output) + } + } else { + if count != 1 { + t.Errorf("Expected count 1, got %d", count) + } + } + }) + } +} From 97f9a6ea68e13dcf38e0e3266c835537745c3787 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Apr 2026 12:52:32 +0000 Subject: [PATCH 4/6] refactor: remove runner_guard job, integrate runner-guard into compile step Agent-Logs-Url: https://github.com/github/gh-aw/sessions/1d8fbd2e-38f8-4fd4-8038-9dfd1918ddd0 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../workflows/static-analysis-report.lock.yml | 73 ++++--------------- .github/workflows/static-analysis-report.md | 37 +--------- 2 files changed, 15 insertions(+), 95 deletions(-) diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index dbb42b6afe2..795167af0c0 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"776e47c264994d11ac6fb58d89f95fc97de8f3ee8326d0c07ef48fdbb9274157","strict":true,"agent_id":"claude"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8d11c3eaafd98561033e62ac5f440c447434fcfe563e10a2acc03b221610fb13","strict":true,"agent_id":"claude"} # gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) @@ -161,16 +161,16 @@ jobs: run: | bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { - cat << 'GH_AW_PROMPT_368d3ccaf181f2f0_EOF' + cat << 'GH_AW_PROMPT_35a871bc3237bd3e_EOF' - GH_AW_PROMPT_368d3ccaf181f2f0_EOF + GH_AW_PROMPT_35a871bc3237bd3e_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md" cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_368d3ccaf181f2f0_EOF' + cat << 'GH_AW_PROMPT_35a871bc3237bd3e_EOF' Tools: create_issue(max:3), create_discussion, missing_tool, missing_data, noop @@ -202,13 +202,13 @@ jobs: {{/if}} - GH_AW_PROMPT_368d3ccaf181f2f0_EOF + GH_AW_PROMPT_35a871bc3237bd3e_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_368d3ccaf181f2f0_EOF' + cat << 'GH_AW_PROMPT_35a871bc3237bd3e_EOF' {{#runtime-import .github/workflows/shared/reporting.md}} {{#runtime-import .github/workflows/static-analysis-report.md}} - GH_AW_PROMPT_368d3ccaf181f2f0_EOF + GH_AW_PROMPT_35a871bc3237bd3e_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -287,9 +287,7 @@ jobs: retention-days: 1 agent: - needs: - - activation - - runner_guard + needs: activation runs-on: ubuntu-latest permissions: actions: read @@ -389,12 +387,7 @@ jobs: - name: Verify static analysis tools run: "set -e\necho \"Verifying static analysis tools are available...\"\n\n# Verify zizmor\necho \"Testing zizmor...\"\ndocker run --rm ghcr.io/zizmorcore/zizmor:latest --version || echo \"Warning: zizmor version check failed\"\n\n# Verify poutine\necho \"Testing poutine...\"\ndocker run --rm ghcr.io/boostsecurityio/poutine:latest --version || echo \"Warning: poutine version check failed\"\n\n# Verify runner-guard\necho \"Testing runner-guard...\"\ndocker run --rm ghcr.io/vigilant-llc/runner-guard:v3.0.1 --version || echo \"Warning: runner-guard version check failed\"\n\necho \"Static analysis tools verification complete\"\n" - name: Run compile with security tools - run: "set -e\necho \"Running gh aw compile with security tools to download Docker images...\"\n\n# Run compile with all security scanner flags to download Docker images\n# Store the output in a file for inspection\ngh aw compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/compile-output.txt\n\necho \"Compile with security tools completed\"\necho \"Output saved to /tmp/gh-aw/compile-output.txt\"\n" - - name: Download runner-guard results - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: runner-guard-results - path: /tmp/gh-aw/ + run: "set -e\necho \"Running gh aw compile with security tools to download Docker images...\"\n\n# Run compile with all security scanner flags to download Docker images\n# Store the output in a file for inspection\ngh aw compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/compile-output.txt\n\necho \"Compile with security tools completed\"\necho \"Output saved to /tmp/gh-aw/compile-output.txt\"" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory @@ -488,9 +481,9 @@ jobs: mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_4c804d91fec07836_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_519e7c8ad923e1a5_EOF' {"create_discussion":{"category":"security","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1},"create_issue":{"expires":168,"labels":["security","automation"],"max":3,"title_prefix":"[runner-guard] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_4c804d91fec07836_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_519e7c8ad923e1a5_EOF - name: Write Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -712,7 +705,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.16' - cat << GH_AW_MCP_CONFIG_36fd9c8e2994a1c4_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_56855796b05f55a8_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -770,7 +763,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_36fd9c8e2994a1c4_EOF + GH_AW_MCP_CONFIG_56855796b05f55a8_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -1042,7 +1035,6 @@ jobs: - activation - agent - detection - - runner_guard - safe_outputs - update_cache_memory if: always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true') @@ -1332,45 +1324,6 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - runner_guard: - needs: activation - runs-on: ubuntu-latest - permissions: - contents: read - - steps: - - name: Configure GH_HOST for enterprise compatibility - id: ghes-host-config - shell: bash - run: | - # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct - # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op. - GH_HOST="${GITHUB_SERVER_URL#https://}" - GH_HOST="${GH_HOST#http://}" - echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV" - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - name: Run runner-guard scan - run: | - docker run --rm \ - -v "$(pwd):/workdir" \ - -w /workdir \ - ghcr.io/vigilant-llc/runner-guard:v3.0.1 \ - scan . --format json > /tmp/runner-guard-results.json 2>/tmp/runner-guard-stderr.log || true - # If output is empty or not valid JSON, write empty result - if ! python3 -c "import json,sys; json.load(open('/tmp/runner-guard-results.json'))" 2>/dev/null; then - echo '{"findings":[],"stderr":"'"$(cat /tmp/runner-guard-stderr.log | head -20 | tr '"' "'")"'"}' > /tmp/runner-guard-results.json - fi - - name: Upload runner-guard results - if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 - with: - name: runner-guard-results - path: /tmp/runner-guard-results.json - retention-days: 1 - safe_outputs: needs: - activation diff --git a/.github/workflows/static-analysis-report.md b/.github/workflows/static-analysis-report.md index eb7f73bf3ae..34e09b0a686 100644 --- a/.github/workflows/static-analysis-report.md +++ b/.github/workflows/static-analysis-report.md @@ -32,34 +32,6 @@ timeout-minutes: 45 strict: true imports: - shared/reporting.md -jobs: - runner_guard: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@v6.0.2 - with: - persist-credentials: false - - name: Run runner-guard scan - run: | - docker run --rm \ - -v "$(pwd):/workdir" \ - -w /workdir \ - ghcr.io/vigilant-llc/runner-guard:v3.0.1 \ - scan . --format json > /tmp/runner-guard-results.json 2>/tmp/runner-guard-stderr.log || true - # If output is empty or not valid JSON, write empty result - if ! python3 -c "import json,sys; json.load(open('/tmp/runner-guard-results.json'))" 2>/dev/null; then - echo '{"findings":[],"stderr":"'"$(cat /tmp/runner-guard-stderr.log | head -20 | tr '"' "'")"'"}' > /tmp/runner-guard-results.json - fi - - name: Upload runner-guard results - if: always() - uses: actions/upload-artifact@v7 - with: - name: runner-guard-results - path: /tmp/runner-guard-results.json - retention-days: 1 steps: - name: Install gh-aw CLI env: @@ -118,11 +90,6 @@ steps: echo "Compile with security tools completed" echo "Output saved to /tmp/gh-aw/compile-output.txt" - - name: Download runner-guard results - uses: actions/download-artifact@v8.0.1 - with: - name: runner-guard-results - path: /tmp/gh-aw/ --- # Static Analysis Report @@ -431,10 +398,10 @@ Issues created: [list of issue links for Critical/High findings, or "none"] ### Phase 6: Analyze Runner-Guard Findings -Runner-guard has performed source-to-sink vulnerability scanning on the repository's GitHub Actions workflows. The results are available at `/tmp/gh-aw/runner-guard-results.json`. +Runner-guard has performed source-to-sink vulnerability scanning as part of the compile step. The results are included in the compilation output at `/tmp/gh-aw/compile-output.txt`. 1. **Read Runner-Guard Output**: - Read the file `/tmp/gh-aw/runner-guard-results.json` which contains findings from runner-guard's taint analysis (detection rules covering fork checkout exploits, expression injection, secret exfiltration, unpinned actions, AI config injection, and supply chain steganography). + Parse the runner-guard findings from `/tmp/gh-aw/compile-output.txt` — runner-guard findings are included alongside zizmor, poutine, and actionlint results (detection rules covering fork checkout exploits, expression injection, secret exfiltration, unpinned actions, AI config injection, and supply chain steganography). 2. **Analyze Findings**: - Parse the JSON to extract findings From 5d375e49cc2ad38a89e3b0ebee1f68c58a5c60c7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:22:06 +0000 Subject: [PATCH 5/6] fix: update runner-guard Docker image tag from v3.0.1 to latest Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2edba045-be10-410f-b268-53f477f5e640 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../workflows/static-analysis-report.lock.yml | 26 +++++++++---------- .github/workflows/static-analysis-report.md | 4 +-- pkg/cli/docker_images.go | 2 +- pkg/cli/runner_guard.go | 2 +- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 795167af0c0..5002c7e87bf 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8d11c3eaafd98561033e62ac5f440c447434fcfe563e10a2acc03b221610fb13","strict":true,"agent_id":"claude"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f180658b93f8f0e2fc76d4542747e09be2ed998665762f94d74d3693bdddf482","strict":true,"agent_id":"claude"} # gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) @@ -161,16 +161,16 @@ jobs: run: | bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { - cat << 'GH_AW_PROMPT_35a871bc3237bd3e_EOF' + cat << 'GH_AW_PROMPT_e3074998fd150c54_EOF' - GH_AW_PROMPT_35a871bc3237bd3e_EOF + GH_AW_PROMPT_e3074998fd150c54_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md" cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_35a871bc3237bd3e_EOF' + cat << 'GH_AW_PROMPT_e3074998fd150c54_EOF' Tools: create_issue(max:3), create_discussion, missing_tool, missing_data, noop @@ -202,13 +202,13 @@ jobs: {{/if}} - GH_AW_PROMPT_35a871bc3237bd3e_EOF + GH_AW_PROMPT_e3074998fd150c54_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_35a871bc3237bd3e_EOF' + cat << 'GH_AW_PROMPT_e3074998fd150c54_EOF' {{#runtime-import .github/workflows/shared/reporting.md}} {{#runtime-import .github/workflows/static-analysis-report.md}} - GH_AW_PROMPT_35a871bc3237bd3e_EOF + GH_AW_PROMPT_e3074998fd150c54_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -383,9 +383,9 @@ jobs: fi gh aw --version - name: Pull static analysis Docker images - run: "set -e\necho \"Pulling Docker images for static analysis tools...\"\n\n# Pull zizmor Docker image\necho \"Pulling zizmor image...\"\ndocker pull ghcr.io/zizmorcore/zizmor:latest\n\n# Pull poutine Docker image\necho \"Pulling poutine image...\"\ndocker pull ghcr.io/boostsecurityio/poutine:latest\n\n# Pull runner-guard Docker image\necho \"Pulling runner-guard image...\"\ndocker pull ghcr.io/vigilant-llc/runner-guard:v3.0.1\n\necho \"All static analysis Docker images pulled successfully\"\n" + run: "set -e\necho \"Pulling Docker images for static analysis tools...\"\n\n# Pull zizmor Docker image\necho \"Pulling zizmor image...\"\ndocker pull ghcr.io/zizmorcore/zizmor:latest\n\n# Pull poutine Docker image\necho \"Pulling poutine image...\"\ndocker pull ghcr.io/boostsecurityio/poutine:latest\n\n# Pull runner-guard Docker image\necho \"Pulling runner-guard image...\"\ndocker pull ghcr.io/vigilant-llc/runner-guard:latest\n\necho \"All static analysis Docker images pulled successfully\"\n" - name: Verify static analysis tools - run: "set -e\necho \"Verifying static analysis tools are available...\"\n\n# Verify zizmor\necho \"Testing zizmor...\"\ndocker run --rm ghcr.io/zizmorcore/zizmor:latest --version || echo \"Warning: zizmor version check failed\"\n\n# Verify poutine\necho \"Testing poutine...\"\ndocker run --rm ghcr.io/boostsecurityio/poutine:latest --version || echo \"Warning: poutine version check failed\"\n\n# Verify runner-guard\necho \"Testing runner-guard...\"\ndocker run --rm ghcr.io/vigilant-llc/runner-guard:v3.0.1 --version || echo \"Warning: runner-guard version check failed\"\n\necho \"Static analysis tools verification complete\"\n" + run: "set -e\necho \"Verifying static analysis tools are available...\"\n\n# Verify zizmor\necho \"Testing zizmor...\"\ndocker run --rm ghcr.io/zizmorcore/zizmor:latest --version || echo \"Warning: zizmor version check failed\"\n\n# Verify poutine\necho \"Testing poutine...\"\ndocker run --rm ghcr.io/boostsecurityio/poutine:latest --version || echo \"Warning: poutine version check failed\"\n\n# Verify runner-guard\necho \"Testing runner-guard...\"\ndocker run --rm ghcr.io/vigilant-llc/runner-guard:latest --version || echo \"Warning: runner-guard version check failed\"\n\necho \"Static analysis tools verification complete\"\n" - name: Run compile with security tools run: "set -e\necho \"Running gh aw compile with security tools to download Docker images...\"\n\n# Run compile with all security scanner flags to download Docker images\n# Store the output in a file for inspection\ngh aw compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/compile-output.txt\n\necho \"Compile with security tools completed\"\necho \"Output saved to /tmp/gh-aw/compile-output.txt\"" @@ -481,9 +481,9 @@ jobs: mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_519e7c8ad923e1a5_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_dce2c62bcb34f28a_EOF' {"create_discussion":{"category":"security","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1},"create_issue":{"expires":168,"labels":["security","automation"],"max":3,"title_prefix":"[runner-guard] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_519e7c8ad923e1a5_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_dce2c62bcb34f28a_EOF - name: Write Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -705,7 +705,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.16' - cat << GH_AW_MCP_CONFIG_56855796b05f55a8_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_196746c7f5a198bc_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -763,7 +763,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_56855796b05f55a8_EOF + GH_AW_MCP_CONFIG_196746c7f5a198bc_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: diff --git a/.github/workflows/static-analysis-report.md b/.github/workflows/static-analysis-report.md index 34e09b0a686..17d3c8fda1d 100644 --- a/.github/workflows/static-analysis-report.md +++ b/.github/workflows/static-analysis-report.md @@ -58,7 +58,7 @@ steps: # Pull runner-guard Docker image echo "Pulling runner-guard image..." - docker pull ghcr.io/vigilant-llc/runner-guard:v3.0.1 + docker pull ghcr.io/vigilant-llc/runner-guard:latest echo "All static analysis Docker images pulled successfully" - name: Verify static analysis tools @@ -76,7 +76,7 @@ steps: # Verify runner-guard echo "Testing runner-guard..." - docker run --rm ghcr.io/vigilant-llc/runner-guard:v3.0.1 --version || echo "Warning: runner-guard version check failed" + docker run --rm ghcr.io/vigilant-llc/runner-guard:latest --version || echo "Warning: runner-guard version check failed" echo "Static analysis tools verification complete" - name: Run compile with security tools diff --git a/pkg/cli/docker_images.go b/pkg/cli/docker_images.go index ef1af89dd14..b51d987406d 100644 --- a/pkg/cli/docker_images.go +++ b/pkg/cli/docker_images.go @@ -32,7 +32,7 @@ const ( ZizmorImage = "ghcr.io/zizmorcore/zizmor:latest" PoutineImage = "ghcr.io/boostsecurityio/poutine:latest" ActionlintImage = "rhysd/actionlint:latest" - RunnerGuardImage = "ghcr.io/vigilant-llc/runner-guard:v3.0.1" + RunnerGuardImage = "ghcr.io/vigilant-llc/runner-guard:latest" ) // dockerPullState tracks the state of docker pull operations diff --git a/pkg/cli/runner_guard.go b/pkg/cli/runner_guard.go index 5a63067ee98..c8f3895ec92 100644 --- a/pkg/cli/runner_guard.go +++ b/pkg/cli/runner_guard.go @@ -62,7 +62,7 @@ func runRunnerGuardOnDirectory(workflowDir string, verbose bool, strict bool) er } // Build the Docker command - // docker run --rm -v "$gitRoot:/workdir" -w /workdir ghcr.io/vigilant-llc/runner-guard:v3.0.1 scan --format json + // docker run --rm -v "$gitRoot:/workdir" -w /workdir ghcr.io/vigilant-llc/runner-guard:latest scan --format json // #nosec G204 -- gitRoot comes from git rev-parse (trusted source) and is validated as absolute path. // exec.Command with separate args (not shell execution) prevents command injection. cmd := exec.Command( From c9d29426836a8620da8503d8214df246c45c3c89 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Apr 2026 14:16:51 +0000 Subject: [PATCH 6/6] feat: switch static-analysis-report from discussion to issue with close-older-issues Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8a46b04a-8d4d-42ef-a7e4-5b8314a7ed36 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../workflows/static-analysis-report.lock.yml | 61 +++++-------------- .github/workflows/static-analysis-report.md | 32 +++++----- 2 files changed, 30 insertions(+), 63 deletions(-) diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 5002c7e87bf..9ee43cf6d40 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f180658b93f8f0e2fc76d4542747e09be2ed998665762f94d74d3693bdddf482","strict":true,"agent_id":"claude"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"318bcb2dd35e5e2b1e5b5d43aa49a612812b5558e34de889032c8cfcdd19a6cb","strict":true,"agent_id":"claude"} # gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) @@ -161,18 +161,18 @@ jobs: run: | bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { - cat << 'GH_AW_PROMPT_e3074998fd150c54_EOF' + cat << 'GH_AW_PROMPT_444cafb4b664f02f_EOF' - GH_AW_PROMPT_e3074998fd150c54_EOF + GH_AW_PROMPT_444cafb4b664f02f_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md" cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_e3074998fd150c54_EOF' + cat << 'GH_AW_PROMPT_444cafb4b664f02f_EOF' - Tools: create_issue(max:3), create_discussion, missing_tool, missing_data, noop + Tools: create_issue(max:4), missing_tool, missing_data, noop The following GitHub context information is available for this workflow: @@ -202,13 +202,13 @@ jobs: {{/if}} - GH_AW_PROMPT_e3074998fd150c54_EOF + GH_AW_PROMPT_444cafb4b664f02f_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_e3074998fd150c54_EOF' + cat << 'GH_AW_PROMPT_444cafb4b664f02f_EOF' {{#runtime-import .github/workflows/shared/reporting.md}} {{#runtime-import .github/workflows/static-analysis-report.md}} - GH_AW_PROMPT_e3074998fd150c54_EOF + GH_AW_PROMPT_444cafb4b664f02f_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -481,48 +481,21 @@ jobs: mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_dce2c62bcb34f28a_EOF' - {"create_discussion":{"category":"security","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1},"create_issue":{"expires":168,"labels":["security","automation"],"max":3,"title_prefix":"[runner-guard] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_dce2c62bcb34f28a_EOF + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_1bb50cfd96d32a60_EOF' + {"create_issue":{"close_older_issues":true,"expires":168,"labels":["security","automation"],"max":4,"title_prefix":"[static-analysis] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} + GH_AW_SAFE_OUTPUTS_CONFIG_1bb50cfd96d32a60_EOF - name: Write Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | { "description_suffixes": { - "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"security\".", - "create_issue": " CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[runner-guard] \". Labels [\"security\" \"automation\"] will be automatically added." + "create_issue": " CONSTRAINTS: Maximum 4 issue(s) can be created. Title will be prefixed with \"[static-analysis] \". Labels [\"security\" \"automation\"] will be automatically added." }, "repo_params": {}, "dynamic_tools": [] } GH_AW_VALIDATION_JSON: | { - "create_discussion": { - "defaultMax": 1, - "fields": { - "body": { - "required": true, - "type": "string", - "sanitize": true, - "maxLength": 65000 - }, - "category": { - "type": "string", - "sanitize": true, - "maxLength": 128 - }, - "repo": { - "type": "string", - "maxLength": 256 - }, - "title": { - "required": true, - "type": "string", - "sanitize": true, - "maxLength": 128 - } - } - }, "create_issue": { "defaultMax": 1, "fields": { @@ -705,7 +678,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.16' - cat << GH_AW_MCP_CONFIG_196746c7f5a198bc_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_e6f57169bc15e587_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -763,7 +736,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_196746c7f5a198bc_EOF + GH_AW_MCP_CONFIG_e6f57169bc15e587_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -1041,7 +1014,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write concurrency: group: "gh-aw-conclusion-static-analysis-report" @@ -1138,8 +1110,6 @@ jobs: GH_AW_ENGINE_ID: "claude" GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} - GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} - GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }} GH_AW_GROUP_REPORTS: "false" GH_AW_FAILURE_REPORT_AS_ISSUE: "true" @@ -1333,7 +1303,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write timeout-minutes: 15 env: @@ -1398,7 +1367,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"security\",\"close_older_discussions\":true,\"expires\":24,\"fallback_to_issue\":true,\"max\":1},\"create_issue\":{\"expires\":168,\"labels\":[\"security\",\"automation\"],\"max\":3,\"title_prefix\":\"[runner-guard] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":true,\"expires\":168,\"labels\":[\"security\",\"automation\"],\"max\":4,\"title_prefix\":\"[static-analysis] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/static-analysis-report.md b/.github/workflows/static-analysis-report.md index 17d3c8fda1d..71d6a06a579 100644 --- a/.github/workflows/static-analysis-report.md +++ b/.github/workflows/static-analysis-report.md @@ -18,16 +18,12 @@ tools: cache-memory: true timeout: 600 safe-outputs: - create-discussion: - expires: 1d - category: "security" - max: 1 - close-older-discussions: true create-issue: expires: 7d - title-prefix: "[runner-guard] " + title-prefix: "[static-analysis] " labels: [security, automation] - max: 3 + max: 4 + close-older-issues: true timeout-minutes: 45 strict: true imports: @@ -260,11 +256,11 @@ Use the cache memory folder `/tmp/gh-aw/cache-memory/` to build persistent knowl ``` ``` -### Phase 5: Create Discussion Report +### Phase 5: Create Issue Report -**ALWAYS create a comprehensive discussion report** with your static analysis findings, regardless of whether issues were found or not. +**ALWAYS create a comprehensive issue report** with your static analysis findings, regardless of whether issues were found or not. -Create a discussion with: +Create an issue with: - **Summary**: Overview of static analysis findings from all three tools - **Statistics**: Total findings by tool, by severity, by type - **Clustered Findings**: Issues grouped by tool and type with counts @@ -273,7 +269,7 @@ Create a discussion with: - **Recommendations**: Prioritized actions to improve security and code quality - **Historical Trends**: Comparison with previous scans -**Discussion Template**: +**Issue Template**: ```markdown # 🔍 Static Analysis Report - [DATE] @@ -396,6 +392,8 @@ Issues created: [list of issue links for Critical/High findings, or "none"] - [ ] Consider adding all three tools to pre-commit hooks ``` +Use the title `[static-analysis] Report - [DATE]` for the issue. + ### Phase 6: Analyze Runner-Guard Findings Runner-guard has performed source-to-sink vulnerability scanning as part of the compile step. The results are included in the compilation output at `/tmp/gh-aw/compile-output.txt`. @@ -413,14 +411,14 @@ Runner-guard has performed source-to-sink vulnerability scanning as part of the For up to 3 of the most critical findings (by severity, then rule ID), create a GitHub issue. Before creating issues: - - Search for existing open issues whose title contains `[runner-guard]` and the rule ID (e.g. `RGS-001`) to avoid duplicates + - Search for existing open issues whose title contains `[static-analysis]` and the rule ID (e.g. `RGS-001`) to avoid duplicates - Only create issues for Critical and High severity findings - Do not create an issue if a matching open issue already exists for the same rule ID - Maximum 3 issues total across all runner-guard findings per run Issue format: ``` - Title: [runner-guard] : in + Title: [static-analysis] : in ## 🚨 Runner-Guard Security Finding @@ -444,7 +442,7 @@ Runner-guard has performed source-to-sink vulnerability scanning as part of the ``` 4. **Add to Discussion**: - Include a "Runner-Guard Analysis" section in the Phase 5 discussion report (see updated discussion template below). + Include a "Runner-Guard Analysis" section in the Phase 5 issue report. ## Important Guidelines @@ -486,7 +484,7 @@ Organize your persistent data in `/tmp/gh-aw/cache-memory/`: ## Output Requirements -Your output must be well-structured and actionable. **You must create a discussion** for every scan with the findings from all three tools. +Your output must be well-structured and actionable. **You must create an issue** for every scan with the findings from all three tools. Update cache memory with today's scan data for future reference and trend analysis. @@ -497,13 +495,13 @@ A successful static analysis scan: - ✅ Clusters findings by tool and issue type - ✅ Generates a detailed fix prompt for at least one issue type - ✅ Updates cache memory with findings from all tools -- ✅ Creates a comprehensive discussion report with findings +- ✅ Creates a comprehensive issue report with findings - ✅ Provides actionable recommendations - ✅ Maintains historical context for trend analysis - ✅ Reads and analyzes runner-guard source-to-sink findings - ✅ Creates up to 3 GitHub issues for Critical/High runner-guard findings (avoiding duplicates) -Begin your static analysis scan now. Read and parse the compilation output from `/tmp/gh-aw/compile-output.txt`, analyze the findings from all four tools (zizmor, poutine, actionlint, runner-guard), cluster them, generate fix suggestions, create up to 3 issues for critical runner-guard findings, and create a discussion with your complete analysis. +Begin your static analysis scan now. Read and parse the compilation output from `/tmp/gh-aw/compile-output.txt`, analyze the findings from all four tools (zizmor, poutine, actionlint, runner-guard), cluster them, generate fix suggestions, create up to 3 issues for critical runner-guard findings, and create an issue with your complete analysis. **Important**: If no action is needed after completing your analysis, you **MUST** call the `noop` safe-output tool with a brief explanation. Failing to call any safe-output tool is the most common cause of safe-output workflow failures.