From 834091bea45dce79fb7d34ee85c264549bb55990 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 23:43:03 +0000 Subject: [PATCH 1/3] Initial plan From fbab05c595147d5767f3a9dfa5d25f4e67d579bb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 23:57:41 +0000 Subject: [PATCH 2/3] optimize copilot token optimizer workflow configuration and prompt Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3d92959f-f325-4be8-8abf-38342e590710 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .../copilot-token-optimizer.lock.yml | 103 +++--- .github/workflows/copilot-token-optimizer.md | 317 +++++++----------- 2 files changed, 164 insertions(+), 256 deletions(-) diff --git a/.github/workflows/copilot-token-optimizer.lock.yml b/.github/workflows/copilot-token-optimizer.lock.yml index 008d0bf4d07..011969f123d 100644 --- a/.github/workflows/copilot-token-optimizer.lock.yml +++ b/.github/workflows/copilot-token-optimizer.lock.yml @@ -1,5 +1,5 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cd9881bfcd49925e8f28729a0a17e3a00234588f848b6629b6d44498684f0e48","strict":true,"agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"astral-sh/setup-uv","sha":"eac588ad8def6316056a12d4907a9d4d84ff7a3b","version":"eac588ad8def6316056a12d4907a9d4d84ff7a3b"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.24"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.24"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.24"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.24"},{"image":"ghcr.io/github/github-mcp-server:v1.0.0"},{"image":"node:lts-alpine","digest":"sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b","pinned_image":"node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b"}]} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"51f72231788ee21708bdccdd34b4db21d30f7eb9135d0216c7b64a7edd2addad","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"astral-sh/setup-uv","sha":"eac588ad8def6316056a12d4907a9d4d84ff7a3b","version":"eac588ad8def6316056a12d4907a9d4d84ff7a3b"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.24"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.24"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.24"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.24"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.24"},{"image":"ghcr.io/github/github-mcp-server:v1.0.0"},{"image":"node:lts-alpine","digest":"sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b","pinned_image":"node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -27,11 +27,11 @@ # Resolved workflow manifest: # Imports: # - copilot-setup-steps.yml -# - shared/mcp/gh-aw.md # - shared/repo-memory-standard.md # - shared/reporting.md # # Secrets used: +# - COPILOT_GITHUB_TOKEN # - GH_AW_GITHUB_MCP_SERVER_TOKEN # - GH_AW_GITHUB_TOKEN # - GITHUB_TOKEN @@ -48,6 +48,7 @@ # Container images used: # - ghcr.io/github/gh-aw-firewall/agent:0.25.24 # - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.24 +# - ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.24 # - ghcr.io/github/gh-aw-firewall/squid:0.25.24 # - ghcr.io/github/gh-aw-mcpg:v0.2.24 # - ghcr.io/github/github-mcp-server:v1.0.0 @@ -84,6 +85,7 @@ jobs: comment_repo: "" lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }} model: ${{ steps.generate_aw_info.outputs.model }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} setup-trace-id: ${{ steps.setup.outputs.trace-id }} stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }} steps: @@ -125,6 +127,11 @@ jobs: setupGlobals(core, github, context, exec, io, getOctokit); const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs'); await main(core, context); + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -174,21 +181,21 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_f97e902efb847bc1_EOF' + cat << 'GH_AW_PROMPT_a35976b165ba7578_EOF' - GH_AW_PROMPT_f97e902efb847bc1_EOF + GH_AW_PROMPT_a35976b165ba7578_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/repo_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_f97e902efb847bc1_EOF' + cat << 'GH_AW_PROMPT_a35976b165ba7578_EOF' Tools: create_issue, missing_tool, missing_data, noop - GH_AW_PROMPT_f97e902efb847bc1_EOF + GH_AW_PROMPT_a35976b165ba7578_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_f97e902efb847bc1_EOF' + cat << 'GH_AW_PROMPT_a35976b165ba7578_EOF' The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -217,14 +224,13 @@ jobs: {{/if}} - GH_AW_PROMPT_f97e902efb847bc1_EOF - cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_f97e902efb847bc1_EOF' + GH_AW_PROMPT_a35976b165ba7578_EOF + cat "${RUNNER_TEMP}/gh-aw/prompts/cli_proxy_with_safeoutputs_prompt.md" + cat << 'GH_AW_PROMPT_a35976b165ba7578_EOF' - {{#runtime-import .github/workflows/shared/mcp/gh-aw.md}} {{#runtime-import .github/workflows/shared/reporting.md}} {{#runtime-import .github/workflows/copilot-token-optimizer.md}} - GH_AW_PROMPT_f97e902efb847bc1_EOF + GH_AW_PROMPT_a35976b165ba7578_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 @@ -312,7 +318,6 @@ jobs: permissions: actions: read contents: read - copilot-requests: write issues: read pull-requests: read concurrency: @@ -401,14 +406,14 @@ jobs: run: go install golang.org/x/tools/gopls@latest - name: Install TypeScript language server run: npm install -g typescript-language-server typescript - - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Install gh-aw extension - run: "# Install gh-aw if not already available\nif ! gh aw --version >/dev/null 2>&1; then\n echo \"Installing gh-aw extension...\"\n curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash\nfi\ngh aw --version\n# Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization\nmkdir -p \"${RUNNER_TEMP}/gh-aw\"\nGH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1)\nif [ -n \"$GH_AW_BIN\" ] && [ -f \"$GH_AW_BIN\" ]; then\n cp \"$GH_AW_BIN\" \"${RUNNER_TEMP}/gh-aw/gh-aw\"\n chmod +x \"${RUNNER_TEMP}/gh-aw/gh-aw\"\n echo \"Copied gh-aw binary to ${RUNNER_TEMP}/gh-aw/gh-aw\"\nelse\n echo \"::error::Failed to find gh-aw binary for MCP server\"\n exit 1\nfi" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download recent Copilot workflow logs - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\necho \"đŸ“Ĩ Downloading Copilot workflow logs (last 7 days)...\"\n\nLOGS_EXIT=0\ngh aw logs \\\n --engine copilot \\\n --start-date -7d \\\n --json \\\n -c 50 \\\n > /tmp/gh-aw/token-audit/all-runs.json || LOGS_EXIT=$?\n\nif [ -s /tmp/gh-aw/token-audit/all-runs.json ]; then\n TOTAL=$(jq '.runs | length' /tmp/gh-aw/token-audit/all-runs.json)\n echo \"✅ Downloaded $TOTAL Copilot workflow runs (last 7 days)\"\n if [ \"$LOGS_EXIT\" -ne 0 ]; then\n echo \"⚠ī¸ gh aw logs exited with code $LOGS_EXIT (partial results — likely API rate limit)\"\n fi\nelse\n echo \"❌ No log data downloaded (exit code $LOGS_EXIT)\"\n echo '{\"runs\":[],\"summary\":{}}' > /tmp/gh-aw/token-audit/all-runs.json\nfi" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\necho \"đŸ“Ĩ Downloading Copilot workflow logs (last 7 days)...\"\n\nLOGS_EXIT=0\ngh aw logs \\\n --engine copilot \\\n --start-date -7d \\\n --json \\\n -c 50 \\\n > /tmp/gh-aw/token-audit/all-runs.json || LOGS_EXIT=$?\n\nif [ -s /tmp/gh-aw/token-audit/all-runs.json ]; then\n TOTAL=$(jq '.runs | length' /tmp/gh-aw/token-audit/all-runs.json)\n echo \"✅ Downloaded $TOTAL Copilot workflow runs (last 7 days)\"\n if [ \"$LOGS_EXIT\" -ne 0 ]; then\n echo \"⚠ī¸ gh aw logs exited with code $LOGS_EXIT (partial results — likely API rate limit)\"\n fi\nelse\n echo \"❌ No log data downloaded (exit code $LOGS_EXIT)\"\n echo '{\"runs\":[],\"summary\":{}}' > /tmp/gh-aw/token-audit/all-runs.json\nfi\n" + - name: Pre-aggregate top workflows by token usage + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\njq '{\n generated_at: (now | todateiso8601),\n window_days: 7,\n top_workflows: (\n [.runs[]\n | select(.status == \"completed\")\n | {\n workflow_name: .workflow_name,\n tokens: (.token_usage // 0),\n cost: (.estimated_cost // 0),\n turns: (.turns // 0),\n action_minutes: (.action_minutes // 0)\n }\n ]\n | group_by(.workflow_name)\n | map({\n workflow_name: .[0].workflow_name,\n run_count: length,\n total_tokens: (map(.tokens) | add),\n avg_tokens: ((map(.tokens) | add) / length),\n total_cost: (map(.cost) | add),\n total_turns: (map(.turns) | add),\n total_action_minutes: (map(.action_minutes) | add)\n })\n | sort_by(.total_tokens)\n | reverse\n | .[:10]\n )\n}' /tmp/gh-aw/token-audit/all-runs.json > /tmp/gh-aw/token-audit/top-workflows.json\n\necho \"✅ Generated top workflow summary at /tmp/gh-aw/token-audit/top-workflows.json\"\njq '.top_workflows' /tmp/gh-aw/token-audit/top-workflows.json\n" + - name: Load optimization history + run: "set -euo pipefail\n\nOPT_LOG=\"/tmp/gh-aw/repo-memory/default/optimization-log.json\"\nif [ -f \"$OPT_LOG\" ]; then\n echo \"✅ Previous optimizations:\"\n jq -r '.[] | \"\\(.date): \\(.workflow_name)\"' \"$OPT_LOG\"\nelse\n echo \"ℹī¸ No previous optimization history found.\"\nfi" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) @@ -464,15 +469,15 @@ jobs: const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.24 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.24 ghcr.io/github/gh-aw-firewall/squid:0.25.24 ghcr.io/github/gh-aw-mcpg:v0.2.24 ghcr.io/github/github-mcp-server:v1.0.0 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b + run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.24 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.24 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.24 ghcr.io/github/gh-aw-firewall/squid:0.25.24 ghcr.io/github/gh-aw-mcpg:v0.2.24 ghcr.io/github/github-mcp-server:v1.0.0 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_a02b06b4242f1b99_EOF' + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_11a733797a14f60b_EOF' {"create_issue":{"close_older_issues":true,"expires":168,"max":1,"title_prefix":"[copilot-token-optimizer] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_a02b06b4242f1b99_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_11a733797a14f60b_EOF - name: Write Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -645,9 +650,6 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} - GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }} - GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | set -eo pipefail mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config" @@ -671,25 +673,9 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_a65e22ee289ac559_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_8074596f7a306dc7_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { - "github": { - "type": "stdio", - "container": "ghcr.io/github/github-mcp-server:v1.0.0", - "env": { - "GITHUB_HOST": "\${GITHUB_SERVER_URL}", - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", - "GITHUB_READ_ONLY": "1", - "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" - }, - "guard-policies": { - "allow-only": { - "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY", - "repos": "$GITHUB_MCP_GUARD_REPOS" - } - } - }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", @@ -712,7 +698,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_a65e22ee289ac559_EOF + GH_AW_MCP_CONFIG_8074596f7a306dc7_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true @@ -741,6 +727,14 @@ jobs: - name: Clean git credentials continue-on-error: true run: bash "${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh" + - name: Start CLI proxy + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GITHUB_SERVER_URL: ${{ github.server_url }} + CLI_PROXY_POLICY: '{"allow-only":{"repos":"all","min-integrity":"none"}}' + CLI_PROXY_IMAGE: 'ghcr.io/github/gh-aw-mcpg:v0.2.24' + run: | + bash "${RUNNER_TEMP}/gh-aw/actions/start_cli_proxy.sh" - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -752,17 +746,18 @@ jobs: export GH_AW_NODE_BIN (umask 177 && touch /tmp/gh-aw/agent-stdio.log) # shellcheck disable=SC1003 - sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.24 --skip-pull --enable-api-proxy \ + sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GH_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.24 --skip-pull --enable-api-proxy --difc-proxy-host host.docker.internal:18443 --difc-proxy-ca-cert /tmp/gh-aw/difc-proxy-tls/ca.crt \ -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE - COPILOT_GITHUB_TOKEN: ${{ github.token }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PHASE: agent GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }} GH_AW_VERSION: dev + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || github.token }} GITHUB_API_URL: ${{ github.api_url }} GITHUB_AW: true GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows @@ -776,8 +771,11 @@ jobs: GIT_AUTHOR_NAME: github-actions[bot] GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com GIT_COMMITTER_NAME: github-actions[bot] - S2STOKENS: true XDG_CONFIG_HOME: /home/runner + - name: Stop CLI proxy + if: always() + continue-on-error: true + run: bash "${RUNNER_TEMP}/gh-aw/actions/stop_cli_proxy.sh" - name: Detect Copilot errors id: detect-copilot-errors if: always() @@ -819,7 +817,8 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/redact_secrets.cjs'); await main(); env: - GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -1061,6 +1060,7 @@ jobs: GH_AW_WORKFLOW_ID: "copilot-token-optimizer" GH_AW_ACTION_FAILURE_ISSUE_EXPIRES_HOURS: "12" GH_AW_ENGINE_ID: "copilot" + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_MCP_POLICY_ERROR: ${{ needs.agent.outputs.mcp_policy_error }} @@ -1092,7 +1092,6 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - copilot-requests: write outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} detection_reason: ${{ steps.detection_conclusion.outputs.reason }} @@ -1137,7 +1136,7 @@ jobs: rm -rf /tmp/gh-aw/sandbox/firewall/logs rm -rf /tmp/gh-aw/sandbox/firewall/audit - name: Download container images - run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.24 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.24 ghcr.io/github/gh-aw-firewall/squid:0.25.24 + run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.24 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.24 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.24 ghcr.io/github/gh-aw-firewall/squid:0.25.24 - name: Check if detection needed id: detection_guard if: always() @@ -1208,15 +1207,16 @@ jobs: export GH_AW_NODE_BIN (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) # shellcheck disable=SC1003 - sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,telemetry.enterprise.githubcopilot.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.24 --skip-pull --enable-api-proxy \ + sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GH_TOKEN --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,telemetry.enterprise.githubcopilot.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.24 --skip-pull --enable-api-proxy --difc-proxy-host host.docker.internal:18443 --difc-proxy-ca-cert /tmp/gh-aw/difc-proxy-tls/ca.crt \ -- /bin/bash -c 'GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE - COPILOT_GITHUB_TOKEN: ${{ github.token }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} GH_AW_PHASE: detection GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_VERSION: dev + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || github.token }} GITHUB_API_URL: ${{ github.api_url }} GITHUB_AW: true GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows @@ -1229,7 +1229,6 @@ jobs: GIT_AUTHOR_NAME: github-actions[bot] GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com GIT_COMMITTER_NAME: github-actions[bot] - S2STOKENS: true XDG_CONFIG_HOME: /home/runner - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' diff --git a/.github/workflows/copilot-token-optimizer.md b/.github/workflows/copilot-token-optimizer.md index 70b9a7977c3..e001b41df6e 100644 --- a/.github/workflows/copilot-token-optimizer.md +++ b/.github/workflows/copilot-token-optimizer.md @@ -12,9 +12,8 @@ permissions: tracker-id: copilot-token-optimizer engine: copilot tools: - mount-as-clis: true github: - toolsets: [default] + toolsets: [issues] bash: - "*" safe-outputs: @@ -31,11 +30,10 @@ imports: description: "Historical daily Copilot token usage snapshots (shared with copilot-token-audit)" max-patch-size: 51200 - copilot-setup-steps.yml - - uses: shared/mcp/gh-aw.md - shared/reporting.md features: mcp-cli: true - copilot-requests: true + cli-proxy: true steps: - name: Download recent Copilot workflow logs env: @@ -64,236 +62,147 @@ steps: echo "❌ No log data downloaded (exit code $LOGS_EXIT)" echo '{"runs":[],"summary":{}}' > /tmp/gh-aw/token-audit/all-runs.json fi ---- -{{#runtime-import? .github/shared-instructions.md}} - -# Copilot Token Usage Optimizer - -You are the Copilot Token Optimizer — an analyst that picks one high-token-usage workflow, deeply audits its recent runs, and produces actionable recommendations to reduce token consumption. - -## Mission - -1. Select a target workflow from the audit snapshot in repo-memory. -2. Filter the pre-downloaded run data for that workflow. -3. Analyze token usage patterns, tool usage, error rates, and prompt efficiency. -4. Produce a conservative, evidence-based optimization issue with specific recommendations. - -## Guiding Principles - -- **Be conservative**: Only recommend changes backed by evidence from multiple runs. -- **Look at many runs**: A tool that appears unused in 1 run may be critical in edge cases. Check at least 5 runs before recommending removal. -- **Quantify impact**: Estimate token savings for each recommendation. -- **Preserve correctness**: Never recommend removing a tool that is successfully used in *any* observed run. -- **Prioritize high-impact**: Focus on the biggest token savings first. - -## Pre-loaded Data - -The following data has been pre-downloaded and is available for analysis: - -### Workflow run logs - -The file `/tmp/gh-aw/token-audit/all-runs.json` contains the output of `gh aw logs --json` for the last 7 days across all workflows. This includes per-run token usage, tool calls, and run metadata. - -### Audit snapshots (repo-memory) - -Historical daily snapshots are at `/tmp/gh-aw/repo-memory/default/`. Each `YYYY-MM-DD.json` file has per-workflow token totals from the daily audit. - -### Optimization history - -If `/tmp/gh-aw/repo-memory/default/optimization-log.json` exists, it lists previously optimized workflows with dates. - -## Phase 1 — Select Target Workflow - -### Step 1.1: Load Audit Snapshot and Select Target - -Read the latest audit snapshot from repo-memory and select a target: - -```bash -# Find the most recent snapshot -LATEST=$(ls -1 /tmp/gh-aw/repo-memory/default/*.json 2>/dev/null | grep -v rolling | grep -v optimization | sort -r | head -1) -if [ -z "$LATEST" ]; then - echo "⚠ī¸ No audit snapshots found" -fi -echo "Latest snapshot: $LATEST" -cat "$LATEST" | jq '.workflows[:10]' - -# Check optimization history -OPT_LOG="/tmp/gh-aw/repo-memory/default/optimization-log.json" -if [ -f "$OPT_LOG" ]; then - echo "Previous optimizations:" - cat "$OPT_LOG" | jq -r '.[] | "\(.date): \(.workflow_name)"' -else - echo "No previous optimization history found." -fi -``` - -Pick the workflow with the highest `total_tokens` from the audit snapshot that does **not** appear in the optimization log within the last 14 days. Randomly select from the top 5 candidates to ensure variety. Skip any workflow with "Token" in the name (to avoid optimizing ourselves). - -If no audit snapshot exists, aggregate the pre-downloaded run data from `/tmp/gh-aw/token-audit/all-runs.json` to find the highest consumer. - -### Step 1.2: Filter Run Data for Selected Workflow -```bash -SELECTED="" -jq --arg name "$SELECTED" '{ - workflow: $name, - total_runs: [.runs[] | select(.workflow_name == $name)] | length, - total_tokens: [.runs[] | select(.workflow_name == $name) | .token_usage // 0] | add, - runs: [.runs[] | select(.workflow_name == $name) | { - run_id: .run_id, - tokens: .token_usage, - effective_tokens: .effective_tokens, - turns: .turns, - model: .model, - conclusion: .conclusion, - created_at: .created_at - }] -}' /tmp/gh-aw/token-audit/all-runs.json -``` - -If no runs are found for the selected workflow in the pre-downloaded data, report this in the issue and base your analysis on the audit snapshot and workflow source code. - -### Step 1.3: Read the Workflow Source - -Use the GitHub MCP tools to read the target workflow's `.md` file from the repository. This lets you see: -- Which MCP tools are configured -- Network permissions -- Prompt instructions -- Imported shared components - -## Phase 2 — Analysis - -### 2.1: Tool Usage Analysis - -Cross-reference **configured tools** (from the workflow `.md`) with **actual tool usage** (from audit data): - -| Tool | Configured? | Used in N/M runs | Avg calls/run | Recommendation | -|---|---|---|---|---| -| ... | ... | ... | ... | Keep / Consider removing / Remove | - -**Rules for tool recommendations:** -- **Keep**: Used in â‰Ĩ50% of audited runs, or used in any run and essential to the workflow's purpose -- **Consider removing**: Used in <20% of runs AND not part of the workflow's core purpose -- **Remove**: Never used across all audited runs AND not referenced in the prompt - -### 2.2: Token Efficiency Analysis - -- Compare `token_usage` vs `effective_tokens` — a large gap suggests poor cache utilization -- Check `cache_efficiency` — below 0.3 suggests the workflow isn't benefiting from caching -- Look at `turns` — high turn counts relative to task complexity suggest the prompt could be clearer -- Check input vs output token ratio from `token_usage_summary.by_model` - -### 2.3: Error Pattern Analysis - -- Recurring errors or warnings that cause retries waste tokens -- MCP failures that trigger fallback behavior -- Missing tools that cause the agent to improvise (expensive) - -### 2.4: Prompt Efficiency - -- Is the prompt overly verbose? Long prompts consume input tokens on every turn -- Are there redundant instructions? -- Could few-shot examples be replaced with clearer constraints? - -## Phase 3 — Recommendations + - name: Pre-aggregate top workflows by token usage + run: | + set -euo pipefail + mkdir -p /tmp/gh-aw/token-audit -Generate specific, actionable recommendations with estimated token savings: + jq '{ + generated_at: (now | todateiso8601), + window_days: 7, + top_workflows: ( + [.runs[] + | select(.status == "completed") + | { + workflow_name: .workflow_name, + tokens: (.token_usage // 0), + cost: (.estimated_cost // 0), + turns: (.turns // 0), + action_minutes: (.action_minutes // 0) + } + ] + | group_by(.workflow_name) + | map({ + workflow_name: .[0].workflow_name, + run_count: length, + total_tokens: (map(.tokens) | add), + avg_tokens: ((map(.tokens) | add) / length), + total_cost: (map(.cost) | add), + total_turns: (map(.turns) | add), + total_action_minutes: (map(.action_minutes) | add) + }) + | sort_by(.total_tokens) + | reverse + | .[:10] + ) + }' /tmp/gh-aw/token-audit/all-runs.json > /tmp/gh-aw/token-audit/top-workflows.json + + echo "✅ Generated top workflow summary at /tmp/gh-aw/token-audit/top-workflows.json" + jq '.top_workflows' /tmp/gh-aw/token-audit/top-workflows.json + + - name: Load optimization history + run: | + set -euo pipefail -### Recommendation Categories + OPT_LOG="/tmp/gh-aw/repo-memory/default/optimization-log.json" + if [ -f "$OPT_LOG" ]; then + echo "✅ Previous optimizations:" + jq -r '.[] | "\(.date): \(.workflow_name)"' "$OPT_LOG" + else + echo "ℹī¸ No previous optimization history found." + fi +--- +{{#runtime-import? .github/shared-instructions.md}} -1. **Tool Configuration** (high impact) - - Remove unused MCP tools (each tool's schema consumes input tokens) - - Consolidate overlapping tools - - Add missing tools that would prevent expensive workarounds +# Copilot Token Usage Optimizer -2. **Prompt Optimization** (medium impact) - - Reduce prompt length where possible - - Clarify ambiguous instructions that cause extra turns - - Add constraints that prevent unnecessary exploration +You are the Copilot Token Optimizer. Pick one high-cost workflow, audit recent runs, and create a conservative optimization issue with measurable savings. -3. **Configuration Tuning** (medium impact) - - Adjust `timeout-minutes` if runs consistently finish early or time out - - Review `max-continuations` settings - - Consider `strict: true` if not already set +## Objectives -4. **Architecture Changes** (high impact, higher risk) - - Split large prompts into focused sub-workflows - - Use shared components to reduce duplication - - Pre-compute data in bash steps to reduce agent work +1. Select one workflow using repo-memory and pre-aggregated data. +2. Analyze tokens, turns, errors, and tool usage patterns across multiple runs. +3. Propose safe, high-impact optimizations with evidence. +4. Publish one issue and update optimization history. -## Phase 4 — Publish Issue +## Data Inputs -Create an issue with the analysis. Use this structure: +- `/tmp/gh-aw/token-audit/all-runs.json`: full 7-day run data (`gh aw logs --json`). +- `/tmp/gh-aw/token-audit/top-workflows.json`: pre-aggregated top 10 workflows by total tokens. +- `/tmp/gh-aw/repo-memory/default/YYYY-MM-DD.json`: daily audit snapshots. +- `/tmp/gh-aw/repo-memory/default/optimization-log.json`: prior optimizations (if present). -``` -### 🔍 Optimization Target: [Workflow Name] +Treat missing numeric fields (`token_usage`, `estimated_cost`, `turns`, `action_minutes`) as `0`. -**Selected because**: Highest token consumer not recently optimized -**Analysis period**: [date range] -**Runs analyzed**: N runs (M audited in detail) +## Phase 1 — Select Target -### 📊 Token Usage Profile +- Start from `top-workflows.json`. +- Exclude workflows optimized in the last 14 days (use `optimization-log.json`). +- Exclude workflows with "Token" in the name to avoid self-targeting. +- Choose the highest token workflow that remains. +- If no snapshot/history exists, derive candidates directly from `all-runs.json`. -| Metric | Value | -|---|---| -| Total tokens (7d) | N | -| Avg tokens/run | N | -| Total cost (7d) | $X.XX | -| Avg turns/run | N | -| Cache efficiency | X% | +Then collect run-level data for the selected workflow: -### 🔧 Recommendations +- run count +- total and average tokens +- total and average cost +- total and average turns +- conclusions/error patterns -#### 1. [Recommendation title] — Est. savings: ~N tokens/run +## Phase 2 — Analyze -[Evidence and rationale from multiple runs] +Use this compact analysis matrix: -**Action**: [Specific change to make] +| Area | Required checks | Output | +|---|---|---| +| Tool usage | Compare configured tools vs observed usage across multiple runs | Keep / Consider removing / Remove | +| Token efficiency | Evaluate token totals, effective tokens, cache efficiency, turns | Top token waste drivers | +| Reliability | Repeated errors, warnings, retries, missing tools | Token waste from failures | +| Prompt efficiency | Redundant instructions, overlong sections, avoidable iteration | Prompt reduction opportunities | -#### 2. [Next recommendation] -... +Rules: -
-Tool Usage Matrix +- Audit at least 5 runs when available before removal recommendations. +- Never recommend removing a tool used in any successful run unless there is strong contrary evidence. +- Prioritize highest expected savings first. -[Full tool usage table] +## Phase 3 — Read Workflow Source -
+Use `gh` CLI (via cli-proxy) to read the target workflow `.md` source and validate: -
-Audited Runs Detail +- configured tools and feature flags +- imported shared components +- prompt structure and verbosity +- network/sandbox constraints relevant to recommendations -[Per-run audit summaries with links] +## Phase 4 — Publish Optimization Issue -
+Create one issue with: -### ⚠ī¸ Caveats +- **Target workflow + reason selected** +- **Analysis period + runs analyzed** +- **Token profile table** (total tokens, avg tokens/run, total cost, avg turns/run, cache efficiency) +- **Ranked recommendations** with: + - title + - estimated token savings per run + - concrete action + - evidence from observed runs +- **Caveats** (sampling limits, edge cases) -- These recommendations are based on N runs over M days -- Edge cases not observed in the sample may require some tools -- Verify changes in a test run before applying permanently -``` +Use `
` blocks for long supporting tables. ## Phase 5 — Update Optimization Log -Append an entry to `/tmp/gh-aw/repo-memory/default/optimization-log.json`: +Append one entry to `/tmp/gh-aw/repo-memory/default/optimization-log.json`: -```json -{ - "date": "YYYY-MM-DD", - "workflow_name": "...", - "total_tokens_analyzed": N, - "runs_audited": N, - "recommendations_count": N, - "estimated_savings_per_run": N -} -``` +`{"date":"YYYY-MM-DD","workflow_name":"...","total_tokens_analyzed":N,"runs_audited":N,"recommendations_count":N,"estimated_savings_per_run":N}` -Load the existing array, append the new entry, trim to the last 30 entries, and save. +Load existing array if present, append, keep only last 30 entries, and save. -## Important Notes +## Guardrails -- Run data is pre-downloaded to `/tmp/gh-aw/token-audit/all-runs.json` — use `jq` to filter and analyze it. Do not try to download logs yourself. -- Treat null/missing `token_usage` and `estimated_cost` as 0. -- The repo-memory branch `memory/token-audit` is shared with the `copilot-token-audit` workflow — read its snapshots but don't overwrite them. Only write to `optimization-log.json`. -- Use `cat` and `jq` to inspect the pre-downloaded data. Use GitHub MCP tools to read workflow source files. +- Use pre-downloaded data; do not re-download logs. +- Keep recommendations evidence-based and low-risk. +- Do not modify audit snapshots; only update `optimization-log.json`. From 48837d104494de5caf277b9a57596c4c980728d6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 19 Apr 2026 00:05:15 +0000 Subject: [PATCH 3/3] clarify cli-proxy gh usage in token optimizer prompt Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3d92959f-f325-4be8-8abf-38342e590710 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .github/workflows/copilot-token-optimizer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/copilot-token-optimizer.md b/.github/workflows/copilot-token-optimizer.md index e001b41df6e..8a3d5b6a19d 100644 --- a/.github/workflows/copilot-token-optimizer.md +++ b/.github/workflows/copilot-token-optimizer.md @@ -157,7 +157,7 @@ Use this compact analysis matrix: | Area | Required checks | Output | |---|---|---| -| Tool usage | Compare configured tools vs observed usage across multiple runs | Keep / Consider removing / Remove | +| Tool usage | Compare configured tools from workflow source (read via `gh api` through cli-proxy) vs observed usage across multiple runs | Keep / Consider removing / Remove | | Token efficiency | Evaluate token totals, effective tokens, cache efficiency, turns | Top token waste drivers | | Reliability | Repeated errors, warnings, retries, missing tools | Token waste from failures | | Prompt efficiency | Redundant instructions, overlong sections, avoidable iteration | Prompt reduction opportunities | @@ -170,7 +170,7 @@ Rules: ## Phase 3 — Read Workflow Source -Use `gh` CLI (via cli-proxy) to read the target workflow `.md` source and validate: +Use `gh` CLI requests (via cli-proxy) to read the target workflow `.md` source and validate. Run `gh` commands normally in bash steps; cli-proxy forwards them over its HTTP interface: - configured tools and feature flags - imported shared components