Wire up dead MCP config schema validation#25507
Conversation
Implements ValidateMCPConfigWithSchema in pkg/parser/schema_validation.go and wires it into ValidateMCPConfigs in pkg/workflow/mcp_config_validation.go. - Add ValidateMCPConfigWithSchema function body (was a comment stub) - Add buildSchemaMCPConfig helper that filters to schema-defined fields and injects inferred type to avoid vacuous if/then schema misfires - Add inferMCPType shared helper to deduplicate type inference logic - Call parser.ValidateMCPConfigWithSchema after custom validation in ValidateMCPConfigs as a schema catch-all - Add TestValidateMCPConfigWithSchema in pkg/parser/schema_test.go Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4668f71c-0117-4c36-b90b-57991f5a7097 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Add sync warning to mcpSchemaTopLevelFields explaining it must be kept in sync with mcp_config_schema.json - Expand buildSchemaMCPConfig comment to explain why type injection is needed (vacuous if/then in JSON Schema draft-07) and what happens when inference fails - Make empty-config test assertion check for 'missing property' instead of the generic 'jsonschema validation failed' Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4668f71c-0117-4c36-b90b-57991f5a7097 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR wires up previously-dead MCP JSON schema validation so malformed MCP server configs are rejected at compile/validation time instead of silently passing.
Changes:
- Implement
parser.ValidateMCPConfigWithSchemato invoke the embeddedmcpConfigSchema. - Add post–custom-validation schema validation in
workflow.ValidateMCPConfigs, including a helper to build a schema-compatible config view and inferredtype. - Add unit tests for MCP schema validation with a variety of valid/invalid cases.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/mcp_config_validation.go | Runs MCP schema validation after existing custom checks; adds type inference + schema filtering helper. |
| pkg/parser/schema_validation.go | Implements ValidateMCPConfigWithSchema to actually call validateWithSchema using mcpConfigSchema. |
| pkg/parser/schema_test.go | Adds TestValidateMCPConfigWithSchema covering common valid/invalid MCP configs. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 2
| name: "empty config fails anyOf - missing type, url, command, and container", | ||
| mcpConfig: map[string]any{}, | ||
| wantErr: true, | ||
| errContains: "missing property", |
There was a problem hiding this comment.
Test assertion for the empty-config case is likely too specific: jsonschema/v6 error text typically uses "missing properties" (plural) and may include the specific property set from the anyOf. Using errContains: "missing property" risks a flaky/failing test across jsonschema versions; consider matching on "missing properties" (or a more stable fragment like "missing properties" + one of {type,url,command,container}).
| errContains: "missing property", | |
| errContains: "missing properties", |
| // buildSchemaMCPConfig extracts only the fields defined in mcp_config_schema.json | ||
| // from a full tool config map. Tool-specific fields that are not part of the MCP | ||
| // schema (e.g. auth, proxy-args, mode, github-token) are excluded so that schema | ||
| // validation does not fail on fields unknown to the schema. | ||
| // | ||
| // If the 'type' field is absent but can be inferred from other fields (url → http, | ||
| // command/container → stdio), the inferred type is injected. This is necessary because | ||
| // the schema's if/then conditions use properties-based matching which is vacuously true | ||
| // when 'type' is absent, causing contradictory constraints to fire for valid configs | ||
| // that rely on type inference. | ||
| func buildSchemaMCPConfig(toolConfig map[string]any) map[string]any { |
There was a problem hiding this comment.
Schema validation is described as a post-custom "catch-all", but buildSchemaMCPConfig explicitly strips fields like proxy-args (and auth) because they are not in mcp_config_schema.json. proxy-args is still a supported MCP config field elsewhere (e.g. parsed via MapToolConfig.GetStringArray), and without schema coverage or separate validation, non-string items or wrong types can be silently dropped. Consider either extending the schema/translation to cover these supported fields or adding explicit validation for them before stripping so malformed values are still rejected.
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke Test Results — §24204964096
Overall: ✅ PASS — Note 🔒 Integrity filter blocked 1 itemThe following item were blocked because they don't meet the GitHub integrity level.
To allow these resources, lower tools:
github:
min-integrity: approved # merged | approved | unapproved | none
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Reviewed PR #25507 (Wire up dead MCP config schema validation). The changes look clean — inferMCPType extraction improves reusability, and the buildSchemaMCPConfig approach of filtering to schema-known fields before validation is a pragmatic solution. One suggestion: add a sync-test for mcpSchemaTopLevelFields.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #25507
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none📰 BREAKING: Report filed by Smoke Copilot · ● 811.1K
| "mounts": true, | ||
| "env": true, | ||
| "headers": true, | ||
| "network": true, |
There was a problem hiding this comment.
The mcpSchemaTopLevelFields map is a useful safety net, but the comment warning about keeping it in sync with the schema is easy to miss. Consider adding a test that loads the JSON schema and verifies all top-level properties are present in this map, so drift is caught automatically.
|
|
||
| // inferMCPType infers the MCP connection type from the fields present in a config map. | ||
| // Returns "http" when a url field is present, "stdio" when command or container is present, | ||
| // and an empty string when the type cannot be determined. It does not validate the explicit |
There was a problem hiding this comment.
Nice extraction of inferMCPType into its own function — makes it easy to reuse and test independently. The docstring clearly explains the semantics (no validation of explicit type), which is helpful.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Smoke test (Codex) results:
|
|
Smoke Test Run 24204964101 — PARTIAL (Tavily unavailable, 2 skipped)
Note 🔒 Integrity filter blocked 1 itemThe following item were blocked because they don't meet the GitHub integrity level.
To allow these resources, lower tools:
github:
min-integrity: approved # merged | approved | unapproved | none
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #25507
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none💥 [THE END] — Illustrated by Smoke Claude · ● 250.6K
| // config schema; additional tool-specific fields (e.g. auth, proxy-args) | ||
| // must be stripped before calling this function because the schema uses | ||
| // additionalProperties: false. | ||
| func ValidateMCPConfigWithSchema(mcpConfig map[string]any) error { |
There was a problem hiding this comment.
The function signature is clean and the caller-responsibility contract is clearly documented in the comment above. Consider adding a nil-check guard for mcpConfig to make the function more robust against accidental nil map dereferences upstream.
| // Returns "http" when a url field is present, "stdio" when command or container is present, | ||
| // and an empty string when the type cannot be determined. It does not validate the explicit | ||
| // 'type' field — that is done by the caller. | ||
| func inferMCPType(config map[string]any) string { |
There was a problem hiding this comment.
Good use of field presence to infer type without relying on the explicit type field. The function comment clearly separates this from the explicit-field validation. One minor suggestion: returning a named constant (e.g. mcpTypeHTTP, mcpTypeStdio) instead of raw string literals would prevent typos at call sites.
|
Commit pushed:
|
pelikhan
deleted the
copilot/deep-report-wire-up-dead-mcp-config-schema-validat
branch
ValidateMCPConfigWithSchemainpkg/parser/schema_validation.gowas a comment stub with no body. The compiledmcpConfigSchemawas never invoked at runtime, leaving thecase mcpConfigSchema:branch invalidateWithSchemaas dead code and silently passing malformed MCP configs (invalidcontainerpatterns, badenvkey casing, malformedmounts, unknown properties, etc.).Changes
pkg/parser/schema_validation.go: ImplementsValidateMCPConfigWithSchema(mcpConfig map[string]any) error— delegates tovalidateWithSchemawith the embeddedmcpConfigSchema.pkg/workflow/mcp_config_validation.go:inferMCPType(config map[string]any) stringhelper — deduplicates the type-inference logic previously inline invalidateMCPRequirements.mcpSchemaTopLevelFields(the 14 properties frommcp_config_schema.json) with a sync warning comment.buildSchemaMCPConfig— strips tool-specific fields (auth,proxy-args,mode, etc.) not defined in the schema (additionalProperties: false), and injects an inferredtypewhen absent. Injection is required because JSON Schema draft-07 evaluatesproperties-basedifconditions as vacuously true when the checked property is missing, causing contradictorythenclauses to fire on valid type-inferred configs.parser.ValidateMCPConfigWithSchema(buildSchemaMCPConfig(config))after custom validation inValidateMCPConfigs— schema runs as a catch-all, custom validation runs first to preserve its more actionable error messages.pkg/parser/schema_test.go: AddsTestValidateMCPConfigWithSchemawith 10 sub-tests covering valid stdio/http configs, invalidcontainerpattern, invalidenvkey format, malformedmounts, unknown property, and empty config.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -trimpath /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git runs/20260409-16git -buildtags t git(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE /home/REDACTED/wor--show-toplevel gh run view 12345 /usr/bin/infocmp nonexistent/repogit --json status,conclusio--show-toplevel infocmp(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp YoZb2gPbL git /usr/bin/git infocmp(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build852536409/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --end-of-optionsGOINSECURE blob 64/bin/go --show-toplevel git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel 64/pkg/tool/linutest@example.com /usr/bin/git _.a GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git 7/001/test-frontgit o ache/go/1.25.8/x--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha GOMODCACHE go /usr/bin/git y_with_repos_arrgit GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE k git(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/ls git rev-�� --show-toplevel ls /usr/bin/git /tmp/gh-aw/aw-magit git /usr/bin/git git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha GOMODCACHE l /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go ache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/compile git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/TestGuardPolicyTrustedUsersRequiresMinIntegrity3544982804/001 rev-parse /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp -1 xterm-color go /usr/bin/git re GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel gh /usr/bin/git git rev-�� --show-toplevel git /home/REDACTED/.config/composer/vendor/bin/bash --show-toplevel git /usr/bin/git bash(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 941082/b120/_pkg_.a om/google/jsonschema-go@v0.4.2/jsonschema/annotations.go cfg GOINSECURE b/gh-aw/pkg/typeremote GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile env 941082/b097/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link GOINSECURE b/gh-aw/pkg/consrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.8/x--json /usr/bin/git 3975/001/stabiligit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git flow.lock.yml aMu6/n6X7R7Av3bGrev-parse 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git flow.test /tmp/go-build852rev-parse rtcfg.link git rev-�� --show-toplevel 2mibRVx_Hs0jjJt2y1/8h78t_weCVcNh12aptr0/8RJmA6F6wfraVUxGWsNv /usr/bin/git /tmp/go-build852git -trimpath 7bf0f09e258b09b8--show-toplevel git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha heckout/git/ref/tags/v5 64/pkg/tool/linu-tests /usr/bin/git _.a hema-go@v0.4.2/jrev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a GO111MODULE 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha GOMODCACHE 64/pkg/tool/linux_amd64/asm /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linuremote.origin.url /usr/bin/git _.a GO111MODULE 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha uest|push_to_pull_request_branch)" git /usr/bin/git ons-test49657867git config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --get remote.origin.urrev-parse /usr/bin/git git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build716941082/b253/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE l4KX3oU/t-71Y8eXinit GOMODCACHE x_amd64/asm(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha 01 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE g/sig_other.s env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git _.a @v1.19.2/contextrev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linuremote.origin.url /usr/bin/git _.a i0dFibft1 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha user.name Test User clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle -json GO111MODULE 64/bin/go git rev-�� --show-toplevel dZ/DmlsjaKf_I1OGvm46Qi1/SUx1S633txB5RbIXfqWx /usr/bin/git 1328312938/.githgit GO111MODULE 037598b29ae401e1--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --noprofile e/git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a i.go 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linux_amd64/compile /usr/bin/git y_with_repos=pubgit YGaDW_VvF 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha GOMODCACHE l /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git 1328312938/.githgit GO111MODULE ode git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --noprofile git ache/node/24.14.1/x64/bin/node --show-toplevel git /usr/bin/git ache/node/24.14.1/x64/bin/node 2749�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha origin l 1/x64/bin/node GOPATH sh 64/bin/go 1/x64/bin/node -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo696604576/001 remote /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp(http block)/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha t0 git(http block)/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git ache/go/1.25.8/x64/bin/bash --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel 64/pkg/tool/linu-importcfg /usr/bin/git _.a GO111MODULE 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linu-extld=gcc /usr/bin/git 638737366/.githugit 7JGiP3oGe ache/go/1.25.8/x--show-toplevel git(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha GOMODCACHE x_amd64/vet clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle -json GO111MODULE x_amd64/vet git conf�� --get remote.origin.url /usr/bin/git -json GO111MODULE 64/bin/sh git(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel gh /usr/bin/git /repos/actions/ggit --jq /usr/bin/git git rev-�� --show-toplevel git ache/node/24.14.1/x64/bin/node --show-toplevel git /usr/bin/git ache/node/24.14.1/x64/bin/node(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --all-progress-implied --revs 1/x64/bin/node --thin --delta-base-offrev-parse -q 1/x64/bin/node -C e: ${{ secrets.TOKEN }} config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --bare --initial-branch=main /usr/bin/git -t security 64/bin/go git -C /tmp/gh-aw-test-runs/20260409-161104-47328/test-485903323/.github/workflows remote 1/x64/bin/node -json GO111MODULE 64/bin/go 1/x64/bin/node(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha ripts/lint_error_messages.go git 1/x64/bin/node --show-toplevel git /usr/bin/git ache/go/1.25.8/x64/pkg/tool/linux_amd64/link hash�� vaScript825230083/001/test-frontmatter-with-arrays.md git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha git-receive-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_brancremote.origin.urgit l e/git -c=4 -nolocalimports -importcfg e/git rev-�� --show-toplevel go /usr/bin/git -json sonrpc2/conn.go 64/bin/go git(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel -diff 2>&1); \ GO111MODULE /usr/bin/git -t security 64/bin/go git -C /tmp/gh-aw-test-runs/20260409-161104-47328/test-485903323/.github/workflows rev-parse /usr/bin/git -json GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git 1/x64/bin/node --show-toplevel git /usr/bin/git ache/go/1.25.8/x64/pkg/tool/linux_amd64/cgo t-ha�� vaScript825230083/001/test-frontmatter-with-nested-objects.md git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name 5.0/internal/doc-nolocalimports 64/pkg/tool/linu-importcfg GOINSECURE ic_wasm.o 64/src/internal/user.name 64/pkg/tool/linuTest User env 3294184831 Bzwz7Kv-X 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 1 --dir test-logs/run-1 S1XHWmzm6 64/pkg/tool/linux_amd64/cgo GOINSECURE(http block)/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 669575/b306/vet.cfg GOINSECURE GOMOD GOMODCACHE sh -c licyBlockedUsersCommaSeparatedCompiledOutput1032765530/001 GOPROXY 669575/b442/vet.cfg l GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xremote.origin.url(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name QWGZF_tJr 64/pkg/tool/linux_amd64/compile GOINSECURE essage GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a ke8fejfLv 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 0/message/catalog/catalog.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD bis 64/pkg/tool/linuTest User env _.a PcfUGjA_S ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE t GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests(http block)/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE /opt/hostedtoolcache/uv/0.11.6/x86_64/sh GOINSECURE set GOMODCACHE sh -c npx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GOPROXY /usr/local/.ghcup/bin/sh GOSUMDB GOWORK 64/bin/go sh(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name 4/apic.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD bis 64/pkg/tool/linux_amd64/compile env _.a sYAOo28ie 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link(http block)/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 0/internal/format/format.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env _.a bBouUBHdz x_amd64/compile GOINSECURE(http block)/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE /home/REDACTED/.local/bin/sh GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GOPROXY /home/REDACTED/.dotnet/tools/sh GOSUMDB GOWORK run-script/lib/n--show-toplevel sh(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name dyvKs137W 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3294184831 QuPWq4ACQ 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 2 --dir test-logs/run-2 4GDF0MOYT 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env IIAr-WTp5 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link(http block)/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name resolved$ 669575/b396/vet.cfg GOINSECURE GOMOD GOMODCACHE sh -c licyBlockedUsersCommaSeparatedCompiledOutput1032765530/001 GOPROXY /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name 5.0/deviceauth.g-c=4 64/pkg/tool/linu-nolocalimports GOINSECURE y.o 64/src/internal/user.email 64/pkg/tool/linutest@example.com env 3294184831 tVIFB3NxN ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE go-sdk/oauthex GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 3 --dir test-logs/run-3 kVjpTbR-V 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env rtcfg GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD bis 64/src/math/big/arith_wasm.s(http block)/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE /opt/hostedtoolcache/uv/0.11.6/x86_64/sh GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GOPROXY 669575/b443/vet.cfg GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/auth/auth.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3294184831 til_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/mcp GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD bis 64/pkg/tool/linutest@example.com env -json cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath(http block)/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE ache/node/24.14.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE sh t-37�� bility_SameInputSameOutput1540923980/001/stability-test.md GOPROXY 669575/b448/vet.cfg GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xremote.origin.url(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/oauthex/auth_meta.go 64/pkg/tool/linux_amd64/compile GOINSECURE tants GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a GO111MODULE x_amd64/compile GOINSECURE go-sdk/auth GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh run download 5 --dir test-logs/run-5 NgK5Xenpy ache/go/1.25.8/x64/bin/go GOINSECURE l/errors GOMODCACHE go env SaeZgGgAk GO111MODULE k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true(http block)/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 669575/b381/vet.cfg GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GOPROXY /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc--json(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path /tmp/go-build420-p -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD y.s go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote2 env l.go l_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git st-3191823691/.ggit 7Ps3/Xuna8G_bMUXrev-parse 1/x64/bin/node git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuTest User /usr/bin/git vaScript32919121git c9jA/W7YQqeYuXmRrev-parse /opt/hostedtoolc--show-toplevel git(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel go /usr/bin/git Onlymin-integritgit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel erignore /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha _.a xpQFH7LFx /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE bidirule GOMODCACHE go stlo�� rtcfg cu5AAtlhm ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /usr/bin/wc user.email test@example.comrev-parse /opt/hostedtoolc--show-toplevel wc(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha sm-opt -Oz (size optimization)..."; \ BEFORE=$(wc -c < gh-aw.wasm); \ wasm-opt -Oz --enable-bugit GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env phen2937969692/001 phen2937969692/002/work odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm 2343�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env lGitmaster_branch2234351819/001' lGitmaster_branch2234351819/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env Gitmain_branch27remote.origin.url Gitmain_branch2710979099/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha b/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.8/x-nilfunc GOINSECURE GOMOD GOMODCACHE go rtcf�� -json yi2fVdpoL ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x^remote\..*\.gh-resolved$(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go phen�� -json GO111MODULE ode_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/sed --show-toplevel go /usr/bin/git sed(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE js_wasm.o 64/src/runtime/r--show-toplevel 64/pkg/tool/linu/tmp/go-build852536409/b455/_testmain.go env -json JWpi-bmPh ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests(http block)/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion **/*.json --ignore-path ../../../.pretti--show-toplevel git conf�� user.email test@example.com /usr/bin/git --show-toplevel git 64/bin/go git(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build852536409/b415/importcfg -pack /tmp/go-build852536409/b415/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build852536409/b397/cli.test /tmp/go-build852536409/b397/cli.test -test.testlogfile=/tmp/go-build852536409/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build716941082/b207/importcfg -pack -o /tmp/go-build420-p -trimpath 64/bin/go -p main -lang=go1.25 go(http block)/tmp/go-build514669575/b397/cli.test /tmp/go-build514669575/b397/cli.test -test.testlogfile=/tmp/go-build514669575/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true ithub-script/gitgo git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name /tmp/go-build420-p -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --format=%(refnaGOINSECURE --merged=8993467GOMOD 64/bin/go --show-toplevel git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)If you need me to access, download, or install something from one of these locations, you can either:
✨ PR Review Safe Output Test - Run 24204964101
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter:Changeset