From 45d34bba3137fd9b9492d609773c28235d14014f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 3 Nov 2025 19:52:24 +0000 Subject: [PATCH 1/7] Initial plan From 477f84fa0bb78f9bacf59907d923916f91cbd7cd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 3 Nov 2025 19:58:25 +0000 Subject: [PATCH 2/7] Initial exploration of safe outputs MCP server configuration Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/audit-workflows.lock.yml | 39 ++++++++++++------- .github/workflows/blog-auditor.lock.yml | 39 ++++++++++++------- .../commit-changes-analyzer.lock.yml | 39 ++++++++++++------- .../workflows/copilot-agent-analysis.lock.yml | 39 ++++++++++++------- .../copilot-session-insights.lock.yml | 39 ++++++++++++------- .github/workflows/daily-doc-updater.lock.yml | 39 ++++++++++++------- .../example-workflow-analyzer.lock.yml | 39 ++++++++++++------- .../github-mcp-tools-report.lock.yml | 39 ++++++++++++------- .github/workflows/go-logger.lock.yml | 39 ++++++++++++------- .../workflows/go-pattern-detector.lock.yml | 39 ++++++++++++------- .../workflows/instructions-janitor.lock.yml | 39 ++++++++++++------- .github/workflows/lockfile-stats.lock.yml | 39 ++++++++++++------- .../prompt-clustering-analysis.lock.yml | 39 ++++++++++++------- .github/workflows/safe-output-health.lock.yml | 39 ++++++++++++------- .../schema-consistency-checker.lock.yml | 39 ++++++++++++------- .github/workflows/scout.lock.yml | 39 ++++++++++++------- .github/workflows/security-fix-pr.lock.yml | 39 ++++++++++++------- .../semantic-function-refactor.lock.yml | 39 ++++++++++++------- .github/workflows/smoke-claude.lock.yml | 39 ++++++++++++------- .github/workflows/smoke-detector.lock.yml | 39 ++++++++++++------- .../workflows/static-analysis-report.lock.yml | 39 ++++++++++++------- .../test-claude-oauth-workflow.lock.yml | 24 ++++++------ .github/workflows/unbloat-docs.lock.yml | 39 ++++++++++++------- 23 files changed, 584 insertions(+), 298 deletions(-) diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index f965e172e07..4e0b13e5596 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -279,17 +279,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2485,6 +2490,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash,BashOutput,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2616,8 +2622,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4546,17 +4553,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4591,6 +4603,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 58204c8f4b8..3293feb3edc 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -201,17 +201,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1839,6 +1844,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(cat *),Bash(cat),Bash(date *),Bash(date),Bash(echo *),Bash(echo),Bash(gh aw compile *),Bash(grep),Bash(head),Bash(ls *),Bash(ls),Bash(mktemp *),Bash(pwd),Bash(rm *),Bash(sort),Bash(tail),Bash(test *),Bash(uniq),Bash(wc),Bash(yq),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1966,8 +1972,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -3890,17 +3897,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -3935,6 +3947,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 9e9aaf2112c..966fd4f88fd 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -204,17 +204,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1769,6 +1774,7 @@ jobs: claude --print --max-turns 100 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1897,8 +1903,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -3820,17 +3827,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -3865,6 +3877,7 @@ jobs: claude --print --max-turns 100 --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 612b4630528..b77ca5fe471 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -234,17 +234,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2122,6 +2127,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(/tmp/gh-aw/jqschema.sh),Bash(cat),Bash(date),Bash(echo),Bash(find .github -name '*.md'),Bash(find .github -type f -exec cat {} +),Bash(gh pr list *),Bash(gh search prs *),Bash(git diff),Bash(git log --oneline),Bash(grep),Bash(head),Bash(jq *),Bash(ls -la .github),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2249,8 +2255,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4173,17 +4180,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4218,6 +4230,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 37db8be33ba..a690f0da9b8 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -268,17 +268,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -3026,6 +3031,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash,BashOutput,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -3156,8 +3162,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_COPILOT_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_COPILOT_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_COPILOT_TOKEN: ${{ secrets.GH_AW_COPILOT_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -5088,17 +5095,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -5133,6 +5145,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index eabae79eb7e..836cd8ae600 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -219,17 +219,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1705,6 +1710,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(cat),Bash(date),Bash(echo),Bash(find docs -name '*.md' -exec cat {} +),Bash(find docs -name '*.md' -o -name '*.mdx'),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep -r '*' docs),Bash(grep),Bash(head),Bash(ls -la docs),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1832,8 +1838,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4149,17 +4156,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4194,6 +4206,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index da389c7ff75..3ea5b66725e 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -203,17 +203,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1553,6 +1558,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1680,8 +1686,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -3604,17 +3611,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -3649,6 +3661,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 2cc13bbe51f..8e28d92ff58 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -234,17 +234,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2069,6 +2074,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(cat),Bash(date),Bash(echo),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2196,8 +2202,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4762,17 +4769,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4807,6 +4819,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 1e235629e5a..236625f7df3 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -236,17 +236,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1824,6 +1829,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(./gh-aw compile *),Bash(cat),Bash(date),Bash(echo),Bash(find pkg -name '*.go' -type f ! -name '*_test.go'),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep -n 'func ' pkg/*.go),Bash(grep -r 'var log = logger.New' pkg --include='*.go'),Bash(grep),Bash(head -n * pkg/**/*.go),Bash(head),Bash(ls),Bash(make build),Bash(make recompile),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc -l pkg/**/*.go),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1951,8 +1957,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4255,17 +4262,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4300,6 +4312,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index b864267c77d..697600f6e1a 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -206,17 +206,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1601,6 +1606,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__ast-grep,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1728,8 +1734,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -3714,17 +3721,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -3759,6 +3771,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index a8c9b0b24a1..6f780619d3f 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -219,17 +219,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1703,6 +1708,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(cat .github/instructions/github-agentic-workflows.instructions.md),Bash(cat),Bash(date),Bash(echo),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git describe --tags --abbrev=0),Bash(git log --since='*' --pretty=format:'%h %s' -- docs/),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc -l .github/instructions/github-agentic-workflows.instructions.md),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1830,8 +1836,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4134,17 +4141,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4179,6 +4191,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index c7780fe53df..c29e5e746e5 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -223,17 +223,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1907,6 +1912,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(cat),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2034,8 +2040,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -3957,17 +3964,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4002,6 +4014,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index e7e7fbc1fd2..49c4ee2a8f2 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -272,17 +272,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2242,6 +2247,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash,BashOutput,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2369,8 +2375,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4293,17 +4300,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4338,6 +4350,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 268a8843ba6..df991de6618 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -249,17 +249,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2038,6 +2043,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(/tmp/gh-aw/jqschema.sh),Bash(cat),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(jq *),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2166,8 +2172,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4089,17 +4096,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4134,6 +4146,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 11dd1dcdd2a..ccb51733ec2 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -227,17 +227,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1909,6 +1914,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2036,8 +2042,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -3960,17 +3967,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4005,6 +4017,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 84c9fe8a327..2cb7ee6d8df 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1223,17 +1223,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2861,6 +2866,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(/tmp/gh-aw/jqschema.sh),Bash(cat),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(jq *),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__arxiv__get_paper_details,mcp__arxiv__get_paper_pdf,mcp__arxiv__search_arxiv,mcp__context7__get-library-docs,mcp__context7__resolve-library-id,mcp__deepwiki__ask_question,mcp__deepwiki__read_wiki_contents,mcp__deepwiki__read_wiki_structure,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__markitdown,mcp__microsoftdocs,mcp__tavily" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2988,8 +2994,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CONTEXT7_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,CONTEXT7_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_CONTEXT7_API_KEY: ${{ secrets.CONTEXT7_API_KEY }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -4663,17 +4670,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4708,6 +4720,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 8018a94c1d2..99e5d275993 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -217,17 +217,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1651,6 +1656,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1778,8 +1784,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4095,17 +4102,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4140,6 +4152,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 688ccb0ccd5..13257000fe5 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -226,17 +226,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2001,6 +2006,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(cat pkg/**/*.go),Bash(cat),Bash(date),Bash(echo),Bash(find pkg -name '*.go' ! -name '*_test.go' -type f),Bash(find pkg -type f -name '*.go' ! -name '*_test.go'),Bash(grep -r 'func ' pkg --include='*.go'),Bash(grep),Bash(head -n * pkg/**/*.go),Bash(head),Bash(ls -la pkg/),Bash(ls -la pkg/workflow/),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc -l pkg/**/*.go),Bash(wc),Bash(yq),BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__serena" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2128,8 +2134,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4116,17 +4123,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4161,6 +4173,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 6ad9133bc2e..f48e3a0812c 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -207,17 +207,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1451,6 +1456,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -1579,8 +1585,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -3564,17 +3571,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -3609,6 +3621,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index fabbc81716d..2ac86b1d349 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -991,17 +991,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2491,6 +2496,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,LS,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2618,8 +2624,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -4606,17 +4613,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4651,6 +4663,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 5ea9ad6d400..a73fc4eb8cf 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -242,17 +242,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -1927,6 +1932,7 @@ jobs: claude --print --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,LS,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2055,8 +2061,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -3978,17 +3985,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -4023,6 +4035,7 @@ jobs: claude --print --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" diff --git a/.github/workflows/test-claude-oauth-workflow.lock.yml b/.github/workflows/test-claude-oauth-workflow.lock.yml index a38191a9cf5..3feadd8f778 100644 --- a/.github/workflows/test-claude-oauth-workflow.lock.yml +++ b/.github/workflows/test-claude-oauth-workflow.lock.yml @@ -349,7 +349,7 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | mkdir -p $(dirname "$GH_AW_PROMPT") - cat > $GH_AW_PROMPT << 'PROMPT_EOF' + cat > "$GH_AW_PROMPT" << 'PROMPT_EOF' Test the Claude OAuth token support by listing files. PROMPT_EOF @@ -357,7 +357,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat >> $GH_AW_PROMPT << 'PROMPT_EOF' + cat >> "$GH_AW_PROMPT" << 'PROMPT_EOF' --- @@ -389,7 +389,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat >> $GH_AW_PROMPT << 'PROMPT_EOF' + cat >> "$GH_AW_PROMPT" << 'PROMPT_EOF' --- @@ -402,7 +402,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat >> $GH_AW_PROMPT << 'PROMPT_EOF' + cat >> "$GH_AW_PROMPT" << 'PROMPT_EOF' --- @@ -471,14 +471,14 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - echo "
" >> $GITHUB_STEP_SUMMARY - echo "Generated Prompt" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo '```markdown' >> $GITHUB_STEP_SUMMARY - cat $GH_AW_PROMPT >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "
" >> $GITHUB_STEP_SUMMARY + echo "
" >> "$GITHUB_STEP_SUMMARY" + echo "Generated Prompt" >> "$GITHUB_STEP_SUMMARY" + echo "" >> "$GITHUB_STEP_SUMMARY" + echo '```markdown' >> "$GITHUB_STEP_SUMMARY" + cat "$GH_AW_PROMPT" >> "$GITHUB_STEP_SUMMARY" + echo '```' >> "$GITHUB_STEP_SUMMARY" + echo "" >> "$GITHUB_STEP_SUMMARY" + echo "
" >> "$GITHUB_STEP_SUMMARY" - name: Upload prompt if: always() uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 16efaaea8a5..7e2e1f00d7e 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -992,17 +992,22 @@ jobs: main().catch(error => { core.setFailed(error instanceof Error ? error.message : String(error)); }); - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -2611,6 +2616,7 @@ jobs: claude --print --max-turns 90 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools "Bash(cat *),Bash(cat),Bash(cd *),Bash(cp *),Bash(curl *),Bash(date),Bash(echo),Bash(find docs/src/content/docs -name '*.md'),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep -n *),Bash(grep),Bash(head *),Bash(head),Bash(kill *),Bash(ls),Bash(mkdir *),Bash(mv *),Bash(node *),Bash(ps *),Bash(pwd),Bash(sleep *),Bash(sort),Bash(tail *),Bash(tail),Bash(uniq),Bash(wc -l *),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for" --debug --verbose --permission-mode bypassPermissions --output-format stream-json --settings /tmp/gh-aw/.claude/settings.json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" @@ -2742,8 +2748,9 @@ jobs: } await main(); env: - GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs @@ -5052,17 +5059,22 @@ jobs: run: | mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - - name: Validate ANTHROPIC_API_KEY secret + - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret run: | - if [ -z "$ANTHROPIC_API_KEY" ]; then - echo "Error: ANTHROPIC_API_KEY secret is not set" - echo "The Claude Code engine requires the ANTHROPIC_API_KEY secret to be configured." - echo "Please configure this secret in your repository settings." + if [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ] && [ -z "$ANTHROPIC_API_KEY" ]; then + echo "Error: Neither CLAUDE_CODE_OAUTH_TOKEN nor ANTHROPIC_API_KEY secret is set" + echo "The Claude Code engine requires either CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret to be configured." + echo "Please configure one of these secrets in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code" exit 1 fi - echo "ANTHROPIC_API_KEY secret is configured" + if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then + echo "CLAUDE_CODE_OAUTH_TOKEN secret is configured" + else + echo "ANTHROPIC_API_KEY secret is configured (using as fallback for CLAUDE_CODE_OAUTH_TOKEN)" + fi env: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 @@ -5097,6 +5109,7 @@ jobs: claude --print --max-turns 90 --allowed-tools "Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite" --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} DISABLE_TELEMETRY: "1" DISABLE_ERROR_REPORTING: "1" DISABLE_BUG_COMMAND: "1" From 69ddea9c0afab970f44e9821f78dcb1e9c389e7f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 3 Nov 2025 20:16:02 +0000 Subject: [PATCH 3/7] Update safe output MCP server to read config from file instead of env var Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 52 ++++++----------- .github/workflows/audit-workflows.lock.yml | 51 ++++++----------- .github/workflows/blog-auditor.lock.yml | 51 ++++++----------- .github/workflows/brave.lock.yml | 52 ++++++----------- .github/workflows/changeset.lock.yml | 52 ++++++----------- .github/workflows/ci-doctor.lock.yml | 52 ++++++----------- .../workflows/cli-version-checker.lock.yml | 52 ++++++----------- .../commit-changes-analyzer.lock.yml | 51 ++++++----------- .../workflows/copilot-agent-analysis.lock.yml | 51 ++++++----------- .../copilot-pr-prompt-analysis.lock.yml | 52 ++++++----------- .../copilot-session-insights.lock.yml | 51 ++++++----------- .github/workflows/craft.lock.yml | 52 ++++++----------- .github/workflows/daily-doc-updater.lock.yml | 51 ++++++----------- .../workflows/daily-firewall-report.lock.yml | 52 ++++++----------- .github/workflows/daily-news.lock.yml | 52 ++++++----------- .../workflows/daily-perf-improver.lock.yml | 52 ++++++----------- .../workflows/daily-repo-chronicle.lock.yml | 52 ++++++----------- .../workflows/daily-test-improver.lock.yml | 52 ++++++----------- .github/workflows/dev-hawk.lock.yml | 52 ++++++----------- .github/workflows/dev.lock.yml | 52 ++++++----------- .github/workflows/dictation-prompt.lock.yml | 52 ++++++----------- .../duplicate-code-detector.lock.yml | 53 ++++++----------- .../example-workflow-analyzer.lock.yml | 51 ++++++----------- .../github-mcp-tools-report.lock.yml | 51 ++++++----------- .github/workflows/go-logger.lock.yml | 51 ++++++----------- .../workflows/go-pattern-detector.lock.yml | 51 ++++++----------- .../workflows/instructions-janitor.lock.yml | 51 ++++++----------- .github/workflows/issue-classifier.lock.yml | 52 ++++++----------- .github/workflows/lockfile-stats.lock.yml | 51 ++++++----------- .github/workflows/mcp-inspector.lock.yml | 52 ++++++----------- .github/workflows/mergefest.lock.yml | 52 ++++++----------- .../workflows/notion-issue-summary.lock.yml | 52 ++++++----------- .github/workflows/pdf-summary.lock.yml | 52 ++++++----------- .github/workflows/plan.lock.yml | 52 ++++++----------- .github/workflows/poem-bot.lock.yml | 52 ++++++----------- .../prompt-clustering-analysis.lock.yml | 51 ++++++----------- .github/workflows/python-data-charts.lock.yml | 52 ++++++----------- .github/workflows/q.lock.yml | 52 ++++++----------- .github/workflows/repo-tree-map.lock.yml | 52 ++++++----------- .github/workflows/research.lock.yml | 52 ++++++----------- .github/workflows/safe-output-health.lock.yml | 51 ++++++----------- .../schema-consistency-checker.lock.yml | 51 ++++++----------- .github/workflows/scout.lock.yml | 51 ++++++----------- .github/workflows/security-fix-pr.lock.yml | 51 ++++++----------- .../semantic-function-refactor.lock.yml | 51 ++++++----------- .github/workflows/smoke-claude.lock.yml | 51 ++++++----------- .github/workflows/smoke-codex.lock.yml | 53 ++++++----------- .../workflows/smoke-copilot.firewall.lock.yml | 52 ++++++----------- .github/workflows/smoke-copilot.lock.yml | 52 ++++++----------- .github/workflows/smoke-detector.lock.yml | 51 ++++++----------- .github/workflows/smoke-opencode.lock.yml | 57 ++++++------------- .../workflows/static-analysis-report.lock.yml | 51 ++++++----------- .../workflows/technical-doc-writer.lock.yml | 52 ++++++----------- .../test-ollama-threat-detection.lock.yml | 52 ++++++----------- .github/workflows/tidy.lock.yml | 52 ++++++----------- .github/workflows/unbloat-docs.lock.yml | 51 ++++++----------- .github/workflows/video-analyzer.lock.yml | 52 ++++++----------- .../workflows/weekly-issue-summary.lock.yml | 52 ++++++----------- pkg/workflow/compile_config_test.go | 37 ++---------- pkg/workflow/compiler_jobs.go | 7 +-- pkg/workflow/compiler_yaml.go | 6 +- pkg/workflow/js/collect_ndjson_output.cjs | 13 ++++- pkg/workflow/js/safe_outputs_mcp_server.cjs | 54 +++++++----------- pkg/workflow/main_job_env_test.go | 16 ++---- pkg/workflow/mcp-config.go | 5 +- pkg/workflow/mcp_config_refactor_test.go | 16 +++++- pkg/workflow/mcp_config_shared_test.go | 1 - pkg/workflow/mcp_servers.go | 2 +- pkg/workflow/safe_output_helpers_test.go | 6 +- pkg/workflow/safe_outputs.go | 3 - .../safe_outputs_mcp_integration_test.go | 11 +++- pkg/workflow/safe_outputs_mcp_server_test.go | 12 +++- 72 files changed, 1068 insertions(+), 2122 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index dce58d811d7..0d7314e73fd 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -138,7 +138,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -259,39 +258,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1023,7 +1009,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1060,7 +1045,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1465,7 +1449,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1600,7 +1583,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 4e0b13e5596..0c64e00d2cb 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -156,7 +156,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -443,39 +442,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1207,7 +1193,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1243,7 +1228,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2639,7 +2623,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 3293feb3edc..3fecf2999bf 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -140,7 +140,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -365,39 +364,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1129,7 +1115,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1171,7 +1156,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1989,7 +1973,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,githubnext.com,www.githubnext.com" with: script: | diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 113d6414dbc..e34e9ab2e28 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1086,7 +1086,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1198,39 +1197,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1962,7 +1948,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -2017,7 +2002,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2391,7 +2375,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2527,7 +2510,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" GH_AW_COMMAND: brave with: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 19a22ef62f7..5123b90a903 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -696,7 +696,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -825,39 +824,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1589,7 +1575,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1626,7 +1611,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2071,7 +2055,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2206,7 +2189,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index ac9fb4f96d2..9183612c3e9 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -547,7 +547,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -679,39 +678,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1443,7 +1429,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1480,7 +1465,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1924,7 +1908,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2059,7 +2042,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index cb1ca9ea7b4..9d257f6876d 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -142,7 +142,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -277,39 +276,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1041,7 +1027,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1078,7 +1063,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1570,7 +1554,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1705,7 +1688,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,ghcr.io,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" with: script: | diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 966fd4f88fd..250da4bb379 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -143,7 +143,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -368,39 +367,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1132,7 +1118,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1164,7 +1149,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1920,7 +1904,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index b77ca5fe471..a67ec303d3e 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -145,7 +145,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -398,39 +397,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1162,7 +1148,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1194,7 +1179,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2272,7 +2256,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com" with: script: | diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index fe8f36297f4..71e61a921b3 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -145,7 +145,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -294,39 +293,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1058,7 +1044,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1095,7 +1080,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1807,7 +1791,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1942,7 +1925,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index a690f0da9b8..eee89a817d0 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -153,7 +153,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -432,39 +431,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1196,7 +1182,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1228,7 +1213,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -3180,7 +3164,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com,pypi.python.org,pypi.org,pip.pypa.io,*.pythonhosted.org,files.pythonhosted.org,bootstrap.pypa.io,conda.binstar.org,conda.anaconda.org,binstar.org,anaconda.org,repo.continuum.io,repo.anaconda.com" with: script: | diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index e0fe0dd54be..00f5ebf34aa 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1086,7 +1086,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1202,39 +1201,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1966,7 +1952,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -2003,7 +1988,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2544,7 +2528,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2679,7 +2662,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" GH_AW_COMMAND: craft with: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 836cd8ae600..7b40b8717c9 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -138,7 +138,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -383,39 +382,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1147,7 +1133,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1179,7 +1164,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1855,7 +1839,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com" with: script: | diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 38246bea122..3e552e7543c 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -152,7 +152,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -313,39 +312,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1077,7 +1063,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1124,7 +1109,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2187,7 +2171,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2322,7 +2305,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" with: script: | diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index a2e7ac321ad..cd933702c36 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -156,7 +156,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -313,39 +312,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1077,7 +1063,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1114,7 +1099,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2161,7 +2145,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2298,7 +2281,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" with: script: | diff --git a/.github/workflows/daily-perf-improver.lock.yml b/.github/workflows/daily-perf-improver.lock.yml index ae0c8968c75..ad6f2190183 100644 --- a/.github/workflows/daily-perf-improver.lock.yml +++ b/.github/workflows/daily-perf-improver.lock.yml @@ -569,7 +569,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_discussion\":{\"max\":5},\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -696,39 +695,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1460,7 +1446,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1497,7 +1482,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1972,7 +1956,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_discussion\":{\"max\":5},\"create_pull_request\":{},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2107,7 +2090,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_discussion\":{\"max\":5},\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index c420ef59143..3f8f391cac8 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -152,7 +152,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -306,39 +305,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1070,7 +1056,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1107,7 +1092,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2054,7 +2038,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2189,7 +2172,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" with: script: | diff --git a/.github/workflows/daily-test-improver.lock.yml b/.github/workflows/daily-test-improver.lock.yml index 79aa46c5968..e24d068ce47 100644 --- a/.github/workflows/daily-test-improver.lock.yml +++ b/.github/workflows/daily-test-improver.lock.yml @@ -569,7 +569,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_discussion\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -696,39 +695,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1460,7 +1446,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1497,7 +1482,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1946,7 +1930,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_discussion\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2081,7 +2064,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_discussion\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index f15388f7a89..ce0b4d60608 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -531,7 +531,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -649,39 +648,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1413,7 +1399,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1460,7 +1445,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1818,7 +1802,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1953,7 +1936,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 901398865d6..c4f9a992415 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -135,7 +135,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -246,39 +245,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1010,7 +996,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1047,7 +1032,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1365,7 +1349,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1500,7 +1483,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index a6773b16e7e..7ff175ae605 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -140,7 +140,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -251,39 +250,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1015,7 +1001,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1052,7 +1037,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1455,7 +1439,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1590,7 +1573,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 6c128c764b1..a80d33682a1 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -146,7 +146,6 @@ jobs: group: "gh-aw-codex-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":3},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -280,39 +279,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1044,7 +1030,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1080,7 +1065,7 @@ jobs: args = [ "/tmp/gh-aw/safeoutputs/mcp-server.cjs", ] - env = { "GH_AW_SAFE_OUTPUTS" = "${{ env.GH_AW_SAFE_OUTPUTS }}", "GH_AW_SAFE_OUTPUTS_CONFIG" = ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }}, "GH_AW_ASSETS_BRANCH" = "${{ env.GH_AW_ASSETS_BRANCH }}", "GH_AW_ASSETS_MAX_SIZE_KB" = "${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}", "GH_AW_ASSETS_ALLOWED_EXTS" = "${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}", "GITHUB_REPOSITORY" = "${{ github.repository }}", "GITHUB_SERVER_URL" = "${{ github.server_url }}" } + env = { "GH_AW_SAFE_OUTPUTS" = "${{ env.GH_AW_SAFE_OUTPUTS }}", "GH_AW_ASSETS_BRANCH" = "${{ env.GH_AW_ASSETS_BRANCH }}", "GH_AW_ASSETS_MAX_SIZE_KB" = "${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}", "GH_AW_ASSETS_ALLOWED_EXTS" = "${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}", "GITHUB_REPOSITORY" = "${{ github.repository }}", "GITHUB_SERVER_URL" = "${{ github.server_url }}" } [mcp_servers.serena] command = "uvx" @@ -1544,7 +1529,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/config.toml GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":3},\"missing_tool\":{}}" GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} RUST_LOG: trace,hyper_util=info,mio=info,reqwest=info,os_info=info,codex_otel=warn,codex_core=debug,ocodex_exec=debug - name: Redact secrets in logs @@ -1675,7 +1659,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":3},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 3ea5b66725e..3bd16a83d77 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -142,7 +142,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -374,39 +373,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1138,7 +1124,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1178,7 +1163,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1703,7 +1687,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 8e28d92ff58..258e6d0390e 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -153,7 +153,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -394,39 +393,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1158,7 +1144,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1181,7 +1166,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2219,7 +2203,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 236625f7df3..e9fcc3e581e 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -140,7 +140,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -400,39 +399,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1164,7 +1150,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1196,7 +1181,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1974,7 +1958,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 697600f6e1a..74a5a699a31 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -145,7 +145,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -371,39 +370,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1135,7 +1121,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1177,7 +1162,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1751,7 +1735,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 6f780619d3f..d3e98bdfc1f 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -138,7 +138,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -383,39 +382,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1147,7 +1133,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1179,7 +1164,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1853,7 +1837,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com" with: script: | diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index 3672ea37241..f43947c0c28 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -930,7 +930,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_labels\":{\"allowed\":[\"bug\",\"feature\",\"enhancement\",\"documentation\"],\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1023,39 +1022,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1787,7 +1773,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1817,7 +1802,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2081,7 +2065,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"add_labels\\\":{\\\"allowed\\\":[\\\"bug\\\",\\\"feature\\\",\\\"enhancement\\\",\\\"documentation\\\"],\\\"max\\\":1},\\\"missing_tool\\\":{}}\"" with: enable-github-mcp: ${{ secrets.GH_AW_GITHUB_TOKEN != '' }} github-mcp-token: ${{ secrets.GH_AW_GITHUB_TOKEN }} @@ -2217,7 +2200,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_labels\":{\"allowed\":[\"bug\",\"feature\",\"enhancement\",\"documentation\"],\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index c29e5e746e5..ef189e19ff8 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -142,7 +142,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -387,39 +386,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1151,7 +1137,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1183,7 +1168,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2057,7 +2041,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 3f3a2dc1fcb..27024f90e60 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -172,7 +172,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"notion-add-comment\":{\"description\":\"Add a comment to a Notion page\",\"inputs\":{\"comment\":{\"description\":\"The comment text to add\",\"required\":true,\"type\":\"string\"}},\"output\":\"Comment added to Notion successfully!\"},\"post-to-slack-channel\":{\"description\":\"Post a message to a Slack channel. Message must be 200 characters or less. Supports basic Slack markdown: *bold*, _italic_, ~strike~, `code`, ```code block```, \\u003equote, and links \\u003curl|text\\u003e. Requires GH_AW_SLACK_CHANNEL_ID environment variable to be set.\",\"inputs\":{\"message\":{\"description\":\"The message to post (max 200 characters, supports Slack markdown)\",\"required\":true,\"type\":\"string\"}},\"output\":\"Message posted to Slack successfully!\"}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -351,39 +350,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1115,7 +1101,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1333,7 +1318,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2024,7 +2008,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"notion-add-comment\":{\"description\":\"Add a comment to a Notion page\",\"inputs\":{\"comment\":{\"description\":\"The comment text to add\",\"required\":true,\"type\":\"string\"}},\"output\":\"Comment added to Notion successfully!\"},\"post-to-slack-channel\":{\"description\":\"Post a message to a Slack channel. Message must be 200 characters or less. Supports basic Slack markdown: *bold*, _italic_, ~strike~, `code`, ```code block```, \\u003equote, and links \\u003curl|text\\u003e. Requires GH_AW_SLACK_CHANNEL_ID environment variable to be set.\",\"inputs\":{\"message\":{\"description\":\"The message to post (max 200 characters, supports Slack markdown)\",\"required\":true,\"type\":\"string\"}},\"output\":\"Message posted to Slack successfully!\"}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2172,7 +2155,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"notion-add-comment\":{\"description\":\"Add a comment to a Notion page\",\"inputs\":{\"comment\":{\"description\":\"The comment text to add\",\"required\":true,\"type\":\"string\"}},\"output\":\"Comment added to Notion successfully!\"},\"post-to-slack-channel\":{\"description\":\"Post a message to a Slack channel. Message must be 200 characters or less. Supports basic Slack markdown: *bold*, _italic_, ~strike~, `code`, ```code block```, \\u003equote, and links \\u003curl|text\\u003e. Requires GH_AW_SLACK_CHANNEL_ID environment variable to be set.\",\"inputs\":{\"message\":{\"description\":\"The message to post (max 200 characters, supports Slack markdown)\",\"required\":true,\"type\":\"string\"}},\"output\":\"Message posted to Slack successfully!\"}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index b1829497995..552f46436c7 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -486,7 +486,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -600,39 +599,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1364,7 +1350,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1401,7 +1386,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2021,7 +2005,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2156,7 +2139,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" GH_AW_COMMAND: mergefest with: diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index a63f79a1ba1..d12901916cb 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -137,7 +137,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"notion-add-comment\":{\"description\":\"Add a comment to a Notion page\",\"inputs\":{\"comment\":{\"description\":\"The comment text to add\",\"required\":true,\"type\":\"string\"}},\"output\":\"Comment added to Notion successfully!\"}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -249,39 +248,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1013,7 +999,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1071,7 +1056,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1323,7 +1307,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"notion-add-comment\":{\"description\":\"Add a comment to a Notion page\",\"inputs\":{\"comment\":{\"description\":\"The comment text to add\",\"required\":true,\"type\":\"string\"}},\"output\":\"Comment added to Notion successfully!\"}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1459,7 +1442,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"notion-add-comment\":{\"description\":\"Add a comment to a Notion page\",\"inputs\":{\"comment\":{\"description\":\"The comment text to add\",\"required\":true,\"type\":\"string\"}},\"output\":\"Comment added to Notion successfully!\"}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 99a12e00764..9523d06f63c 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1108,7 +1108,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1246,39 +1245,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -2010,7 +1996,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -2054,7 +2039,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2497,7 +2481,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2632,7 +2615,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" GH_AW_COMMAND: summarize with: diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 9c047efca2c..cfb9261fbd9 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -699,7 +699,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":5},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -810,39 +809,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1574,7 +1560,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1611,7 +1596,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1993,7 +1977,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":5},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2128,7 +2111,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":5},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" GH_AW_COMMAND: plan with: diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index fc340969007..26bbf7a24f0 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1373,7 +1373,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":3,\"target\":\"*\"},\"add_labels\":{\"allowed\":[\"poetry\",\"creative\",\"automation\",\"ai-generated\",\"epic\",\"haiku\",\"sonnet\",\"limerick\"],\"max\":5},\"create_issue\":{\"max\":2},\"create_pull_request\":{},\"create_pull_request_review_comment\":{\"max\":2},\"missing_tool\":{},\"push_to_pull_request_branch\":{},\"update_issue\":{\"max\":2},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1506,39 +1505,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -2270,7 +2256,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -2307,7 +2292,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2731,7 +2715,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":3,\"target\":\"*\"},\"add_labels\":{\"allowed\":[\"poetry\",\"creative\",\"automation\",\"ai-generated\",\"epic\",\"haiku\",\"sonnet\",\"limerick\"],\"max\":5},\"create_issue\":{\"max\":2},\"create_pull_request\":{},\"create_pull_request_review_comment\":{\"max\":2},\"missing_tool\":{},\"push_to_pull_request_branch\":{},\"update_issue\":{\"max\":2},\"upload_asset\":{}}" GH_AW_SAFE_OUTPUTS_STAGED: true GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -2867,7 +2850,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":3,\"target\":\"*\"},\"add_labels\":{\"allowed\":[\"poetry\",\"creative\",\"automation\",\"ai-generated\",\"epic\",\"haiku\",\"sonnet\",\"limerick\"],\"max\":5},\"create_issue\":{\"max\":2},\"create_pull_request\":{},\"create_pull_request_review_comment\":{\"max\":2},\"missing_tool\":{},\"push_to_pull_request_branch\":{},\"update_issue\":{\"max\":2},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" GH_AW_COMMAND: poem-bot with: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 49c4ee2a8f2..09e320683bd 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -150,7 +150,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -436,39 +435,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1200,7 +1186,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1236,7 +1221,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2392,7 +2376,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com,pypi.python.org,pypi.org,pip.pypa.io,*.pythonhosted.org,files.pythonhosted.org,bootstrap.pypa.io,conda.binstar.org,conda.anaconda.org,binstar.org,anaconda.org,repo.continuum.io,repo.anaconda.com" with: script: | diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index a424a7f239e..dd10d1a5c64 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -144,7 +144,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -298,39 +297,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1062,7 +1048,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1099,7 +1084,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1764,7 +1748,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1899,7 +1882,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" with: script: | diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index e46d36bab0d..a0aa2dfdc1e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1134,7 +1134,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1291,39 +1290,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -2055,7 +2041,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -2099,7 +2084,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2845,7 +2829,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2982,7 +2965,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" GH_AW_COMMAND: q with: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 8951907ff91..258b3f03c6c 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -138,7 +138,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -249,39 +248,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1013,7 +999,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1050,7 +1035,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1489,7 +1473,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1624,7 +1607,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 22b84678082..52eea6b63a7 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -144,7 +144,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -265,39 +264,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1029,7 +1015,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1066,7 +1051,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1428,7 +1412,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1565,7 +1548,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index df991de6618..2fc4aa2951c 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -148,7 +148,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -413,39 +412,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1177,7 +1163,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1213,7 +1198,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2189,7 +2173,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index ccb51733ec2..ee4eb4428ec 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -144,7 +144,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -387,39 +386,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1151,7 +1137,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1174,7 +1159,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2059,7 +2043,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 2cb7ee6d8df..d8280cafd6c 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1133,7 +1133,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1389,39 +1388,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -2153,7 +2139,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -2222,7 +2207,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -3013,7 +2997,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" GH_AW_COMMAND: scout with: diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 99e5d275993..943ae1202c2 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -136,7 +136,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -381,39 +380,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1145,7 +1131,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1177,7 +1162,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1801,7 +1785,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 13257000fe5..68a1c138914 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -147,7 +147,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -390,39 +389,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1154,7 +1140,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1186,7 +1171,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2151,7 +2135,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index f48e3a0812c..de1e65d869e 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -146,7 +146,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -371,39 +370,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1135,7 +1121,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1167,7 +1152,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1602,7 +1586,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 8d68f16eb00..5e36d8f8a8d 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -146,7 +146,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -262,39 +261,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1026,7 +1012,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1062,7 +1047,7 @@ jobs: args = [ "/tmp/gh-aw/safeoutputs/mcp-server.cjs", ] - env = { "GH_AW_SAFE_OUTPUTS" = "${{ env.GH_AW_SAFE_OUTPUTS }}", "GH_AW_SAFE_OUTPUTS_CONFIG" = ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }}, "GH_AW_ASSETS_BRANCH" = "${{ env.GH_AW_ASSETS_BRANCH }}", "GH_AW_ASSETS_MAX_SIZE_KB" = "${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}", "GH_AW_ASSETS_ALLOWED_EXTS" = "${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}", "GITHUB_REPOSITORY" = "${{ github.repository }}", "GITHUB_SERVER_URL" = "${{ github.server_url }}" } + env = { "GH_AW_SAFE_OUTPUTS" = "${{ env.GH_AW_SAFE_OUTPUTS }}", "GH_AW_ASSETS_BRANCH" = "${{ env.GH_AW_ASSETS_BRANCH }}", "GH_AW_ASSETS_MAX_SIZE_KB" = "${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}", "GH_AW_ASSETS_ALLOWED_EXTS" = "${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}", "GITHUB_REPOSITORY" = "${{ github.repository }}", "GITHUB_SERVER_URL" = "${{ github.server_url }}" } EOF - name: Create prompt env: @@ -1284,7 +1269,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/config.toml GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_SAFE_OUTPUTS_STAGED: true GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} RUST_LOG: trace,hyper_util=info,mio=info,reqwest=info,os_info=info,codex_otel=warn,codex_core=debug,ocodex_exec=debug @@ -1416,7 +1400,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 892a18781c4..2afb0f6ab5d 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -146,7 +146,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -267,39 +266,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1031,7 +1017,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1068,7 +1053,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1352,7 +1336,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_SAFE_OUTPUTS_STAGED: true GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1488,7 +1471,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 0de1478238c..f65c7735719 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -146,7 +146,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -267,39 +266,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1031,7 +1017,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1068,7 +1053,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1352,7 +1336,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_SAFE_OUTPUTS_STAGED: true GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1488,7 +1471,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index 2ac86b1d349..ce25cb53712 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -896,7 +896,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1155,39 +1154,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1919,7 +1905,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1955,7 +1940,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2641,7 +2625,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 0b371b8fccb..4d79212cea8 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -150,7 +150,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -247,39 +246,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1011,7 +997,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1041,7 +1026,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -1239,7 +1223,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1},\\\"missing_tool\\\":{}}\"" GH_AW_SAFE_OUTPUTS_STAGED: "true" - name: Configure OpenCode MCP servers run: | @@ -1303,7 +1286,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1},\\\"missing_tool\\\":{}}\"" GH_AW_SAFE_OUTPUTS_STAGED: "true" - name: Run OpenCode id: opencode @@ -1316,7 +1298,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1},\\\"missing_tool\\\":{}}\"" GH_AW_SAFE_OUTPUTS_STAGED: "true" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -1452,7 +1433,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | @@ -2757,7 +2737,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1},\\\"missing_tool\\\":{}}\"" GH_AW_SAFE_OUTPUTS_STAGED: "true" - name: Configure OpenCode MCP servers run: | @@ -2821,7 +2800,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1},\\\"missing_tool\\\":{}}\"" GH_AW_SAFE_OUTPUTS_STAGED: "true" - name: Run OpenCode id: opencode @@ -2834,7 +2812,6 @@ jobs: GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1},\\\"missing_tool\\\":{}}\"" GH_AW_SAFE_OUTPUTS_STAGED: "true" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index a73fc4eb8cf..11fc92bcd31 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -147,7 +147,6 @@ jobs: group: "gh-aw-claude-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -406,39 +405,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1170,7 +1156,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1206,7 +1191,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2078,7 +2062,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" with: script: | diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 7a859654c05..e29894996a4 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -550,7 +550,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -696,39 +695,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1460,7 +1446,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1497,7 +1482,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -2205,7 +2189,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{},\"upload_asset\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2340,7 +2323,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" with: script: | diff --git a/.github/workflows/test-ollama-threat-detection.lock.yml b/.github/workflows/test-ollama-threat-detection.lock.yml index 36b6ac28fda..18b2a167b89 100644 --- a/.github/workflows/test-ollama-threat-detection.lock.yml +++ b/.github/workflows/test-ollama-threat-detection.lock.yml @@ -136,7 +136,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -247,39 +246,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1011,7 +997,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1048,7 +1033,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1296,7 +1280,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1431,7 +1414,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index ac39c8011bd..7fda88ab91b 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -502,7 +502,6 @@ jobs: pull-requests: read env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -627,39 +626,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1391,7 +1377,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1428,7 +1413,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1823,7 +1807,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1958,7 +1941,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_pull_request\":{},\"missing_tool\":{},\"push_to_pull_request_branch\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" GH_AW_COMMAND: tidy with: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 7e2e1f00d7e..f0872ba6c68 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -896,7 +896,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -1156,39 +1155,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1920,7 +1906,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1964,7 +1949,6 @@ jobs: "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG, "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", @@ -2765,7 +2749,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com" GH_AW_COMMAND: unbloat with: diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index adf35881f34..f9545ed30af 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -143,7 +143,6 @@ jobs: group: "gh-aw-copilot-${{ github.workflow }}" env: GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -262,39 +261,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1026,7 +1012,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1063,7 +1048,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1587,7 +1571,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -1722,7 +1705,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}" GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" with: script: | diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 578bc3fc43e..b1068e7886a 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -146,7 +146,6 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" outputs: output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} @@ -259,39 +258,26 @@ jobs: normalized = normalized.toLowerCase(); return normalized; } - const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; - if (!configEnv) { - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); + debug(`Reading config from file: ${configPath}`); + try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } - } else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } + } catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`); @@ -1023,7 +1009,6 @@ jobs: env: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} @@ -1063,7 +1048,6 @@ jobs: "tools": ["*"], "env": { "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}", "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", @@ -1965,7 +1949,6 @@ jobs: GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} @@ -2100,7 +2083,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_OUTPUTS_CONFIG: "{\"create_discussion\":{\"max\":1},\"missing_tool\":{},\"upload_asset\":{}}" GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" with: script: | diff --git a/pkg/workflow/compile_config_test.go b/pkg/workflow/compile_config_test.go index 854e148397e..c387a861bde 100644 --- a/pkg/workflow/compile_config_test.go +++ b/pkg/workflow/compile_config_test.go @@ -194,48 +194,21 @@ func TestSafeOutputsConfigGeneration(t *testing.T) { SafeOutputs: config, } - // Use the compiler's generateOutputCollectionStep to test the GH_AW_SAFE_OUTPUTS_CONFIG generation + // Use the compiler's generateOutputCollectionStep to verify config is not in env vars var yamlBuilder strings.Builder compiler.generateOutputCollectionStep(&yamlBuilder, workflowData) generatedYAML := yamlBuilder.String() - // Look specifically for the GH_AW_SAFE_OUTPUTS_CONFIG environment variable line + // Config should NOT be in environment variables anymore - it's in a file configLinePresent := strings.Contains(generatedYAML, "GH_AW_SAFE_OUTPUTS_CONFIG:") if len(tt.expectedInConfig) > 0 { - // If we expect items in config, the config line should be present - if !configLinePresent { - t.Errorf("Expected GH_AW_SAFE_OUTPUTS_CONFIG environment variable to be present, but it was not found") + // Even if we expect items in config, they should be written to file, not env var + if configLinePresent { + t.Errorf("GH_AW_SAFE_OUTPUTS_CONFIG should NOT be in environment variables - config is now in file") return } - - // Extract the config line to check its contents - configLine := "" - lines := strings.Split(generatedYAML, "\n") - for _, line := range lines { - if strings.Contains(line, "GH_AW_SAFE_OUTPUTS_CONFIG:") { - configLine = line - break - } - } - - // Check expected items are present in the config line - for _, expected := range tt.expectedInConfig { - if !strings.Contains(configLine, expected) { - t.Errorf("Expected %q to be in GH_AW_SAFE_OUTPUTS_CONFIG, but it was not found in config line: %s", expected, configLine) - } - } - - // Check unexpected items are not present in the config line - for _, unexpected := range tt.unexpectedInConfig { - if strings.Contains(configLine, unexpected) { - t.Errorf("Did not expect %q to be in GH_AW_SAFE_OUTPUTS_CONFIG, but it was found in config line: %s", unexpected, configLine) - } - } } - // If we don't expect any items and no unexpected items specified, - // the config line may or may not be present (depending on whether SafeOutputs is nil) - // This is acceptable behavior }) } } diff --git a/pkg/workflow/compiler_jobs.go b/pkg/workflow/compiler_jobs.go index 4808928641c..245fb01f33e 100644 --- a/pkg/workflow/compiler_jobs.go +++ b/pkg/workflow/compiler_jobs.go @@ -675,12 +675,7 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( // Set GH_AW_SAFE_OUTPUTS to fixed path env["GH_AW_SAFE_OUTPUTS"] = "/tmp/gh-aw/safeoutputs/outputs.jsonl" - // Set GH_AW_SAFE_OUTPUTS_CONFIG with the safe outputs configuration - safeOutputConfig := generateSafeOutputsConfig(data) - if safeOutputConfig != "" { - // The JSON string needs to be properly quoted for YAML - env["GH_AW_SAFE_OUTPUTS_CONFIG"] = fmt.Sprintf("%q", safeOutputConfig) - } + // Config is written to /tmp/gh-aw/safeoutputs/config.json file, not passed as env var // Add asset-related environment variables if upload-assets is configured if data.SafeOutputs.UploadAssets != nil { diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index 54aa40633f5..04deae12491 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -880,11 +880,7 @@ func (c *Compiler) generateOutputCollectionStep(yaml *strings.Builder, data *Wor yaml.WriteString(" env:\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}\n") - // Pass the safe-outputs configuration for validation - safeOutputConfig := generateSafeOutputsConfig(data) - if safeOutputConfig != "" { - fmt.Fprintf(yaml, " GH_AW_SAFE_OUTPUTS_CONFIG: %q\n", safeOutputConfig) - } + // Config is written to file, not passed as env var // Add allowed domains configuration for sanitization // Use manually configured domains if available, otherwise compute from network configuration diff --git a/pkg/workflow/js/collect_ndjson_output.cjs b/pkg/workflow/js/collect_ndjson_output.cjs index 994039ddf5f..aae8c9bbf11 100644 --- a/pkg/workflow/js/collect_ndjson_output.cjs +++ b/pkg/workflow/js/collect_ndjson_output.cjs @@ -302,7 +302,18 @@ async function main() { } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + // Read config from file instead of environment variable + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error.message}`); + } + if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/pkg/workflow/js/safe_outputs_mcp_server.cjs b/pkg/workflow/js/safe_outputs_mcp_server.cjs index 08b7da7bf0c..c9e5f69055b 100644 --- a/pkg/workflow/js/safe_outputs_mcp_server.cjs +++ b/pkg/workflow/js/safe_outputs_mcp_server.cjs @@ -58,44 +58,30 @@ function normalizeBranchName(branchName) { return normalized; } -// Handle GH_AW_SAFE_OUTPUTS_CONFIG with default fallback -const configEnv = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; +// Read configuration from file +const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; let safeOutputsConfigRaw; -if (!configEnv) { - // Default config file path - const defaultConfigPath = "/tmp/gh-aw/safeoutputs/config.json"; - debug(`GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: ${defaultConfigPath}`); - - try { - if (fs.existsSync(defaultConfigPath)) { - debug(`Reading config from file: ${defaultConfigPath}`); - const configFileContent = fs.readFileSync(defaultConfigPath, "utf8"); - debug(`Config file content length: ${configFileContent.length} characters`); - // Don't log raw content to avoid exposing sensitive configuration data - debug(`Config file read successfully, attempting to parse JSON`); - safeOutputsConfigRaw = JSON.parse(configFileContent); - debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); - } else { - debug(`Config file does not exist at: ${defaultConfigPath}`); - debug(`Using minimal default configuration`); - safeOutputsConfigRaw = {}; - } - } catch (error) { - debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); - debug(`Falling back to empty configuration`); +debug(`Reading config from file: ${configPath}`); + +try { + if (fs.existsSync(configPath)) { + debug(`Config file exists at: ${configPath}`); + const configFileContent = fs.readFileSync(configPath, "utf8"); + debug(`Config file content length: ${configFileContent.length} characters`); + // Don't log raw content to avoid exposing sensitive configuration data + debug(`Config file read successfully, attempting to parse JSON`); + safeOutputsConfigRaw = JSON.parse(configFileContent); + debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`); + } else { + debug(`Config file does not exist at: ${configPath}`); + debug(`Using minimal default configuration`); safeOutputsConfigRaw = {}; } -} else { - debug(`Using GH_AW_SAFE_OUTPUTS_CONFIG from environment variable`); - debug(`Config environment variable length: ${configEnv.length} characters`); - try { - safeOutputsConfigRaw = JSON.parse(configEnv); // uses dashes for keys - debug(`Successfully parsed config from environment: ${JSON.stringify(safeOutputsConfigRaw)}`); - } catch (error) { - debug(`Error parsing config from environment: ${error instanceof Error ? error.message : String(error)}`); - throw new Error(`Failed to parse GH_AW_SAFE_OUTPUTS_CONFIG: ${error instanceof Error ? error.message : String(error)}`); - } +} catch (error) { + debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`); + debug(`Falling back to empty configuration`); + safeOutputsConfigRaw = {}; } const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v])); diff --git a/pkg/workflow/main_job_env_test.go b/pkg/workflow/main_job_env_test.go index 359421ec80b..72e048cae1a 100644 --- a/pkg/workflow/main_job_env_test.go +++ b/pkg/workflow/main_job_env_test.go @@ -32,7 +32,7 @@ func TestMainJobEnvironmentVariables(t *testing.T) { }, }, expectedEnvVars: []string{ - "GH_AW_SAFE_OUTPUTS_CONFIG:", + // Config is now in file, not env var }, shouldHaveEnv: true, }, @@ -50,7 +50,7 @@ func TestMainJobEnvironmentVariables(t *testing.T) { }, }, expectedEnvVars: []string{ - "GH_AW_SAFE_OUTPUTS_CONFIG:", + // Config is now in file, not env var }, shouldHaveEnv: true, }, @@ -185,15 +185,9 @@ This workflow tests that job-level environment variables are properly set for sa t.Error("Expected job-level 'env:' section in agent job") } - // Check for required environment variables - expectedEnvVars := []string{ - " GH_AW_SAFE_OUTPUTS_CONFIG:", - } - - for _, expectedEnvVar := range expectedEnvVars { - if !strings.Contains(agentJobSection, expectedEnvVar) { - t.Errorf("Expected environment variable %q not found in agent job section", expectedEnvVar) - } + // Check that GH_AW_SAFE_OUTPUTS_CONFIG is NOT in environment variables + if strings.Contains(agentJobSection, "GH_AW_SAFE_OUTPUTS_CONFIG:") { + t.Error("GH_AW_SAFE_OUTPUTS_CONFIG should NOT be in environment variables - config is now in file") } // Clean up diff --git a/pkg/workflow/mcp-config.go b/pkg/workflow/mcp-config.go index 6266b67f13f..2442c03c3c2 100644 --- a/pkg/workflow/mcp-config.go +++ b/pkg/workflow/mcp-config.go @@ -120,9 +120,9 @@ func renderSafeOutputsMCPConfigWithOptions(yaml *strings.Builder, isLast bool, i // Use shell environment variables instead of GitHub Actions expressions to prevent template injection // For both Copilot and Claude/Custom engines, reference shell env vars // The actual GitHub expressions are set in the step's env: block + // Config is now read from file, so we don't pass GH_AW_SAFE_OUTPUTS_CONFIG if includeCopilotFields { yaml.WriteString(" \"GH_AW_SAFE_OUTPUTS\": \"\\${GH_AW_SAFE_OUTPUTS}\",\n") - yaml.WriteString(" \"GH_AW_SAFE_OUTPUTS_CONFIG\": \"\\${GH_AW_SAFE_OUTPUTS_CONFIG}\",\n") yaml.WriteString(" \"GH_AW_ASSETS_BRANCH\": \"\\${GH_AW_ASSETS_BRANCH}\",\n") yaml.WriteString(" \"GH_AW_ASSETS_MAX_SIZE_KB\": \"\\${GH_AW_ASSETS_MAX_SIZE_KB}\",\n") yaml.WriteString(" \"GH_AW_ASSETS_ALLOWED_EXTS\": \"\\${GH_AW_ASSETS_ALLOWED_EXTS}\",\n") @@ -130,7 +130,6 @@ func renderSafeOutputsMCPConfigWithOptions(yaml *strings.Builder, isLast bool, i yaml.WriteString(" \"GITHUB_SERVER_URL\": \"\\${GITHUB_SERVER_URL}\"\n") } else { yaml.WriteString(" \"GH_AW_SAFE_OUTPUTS\": \"$GH_AW_SAFE_OUTPUTS\",\n") - yaml.WriteString(" \"GH_AW_SAFE_OUTPUTS_CONFIG\": $GH_AW_SAFE_OUTPUTS_CONFIG,\n") yaml.WriteString(" \"GH_AW_ASSETS_BRANCH\": \"$GH_AW_ASSETS_BRANCH\",\n") yaml.WriteString(" \"GH_AW_ASSETS_MAX_SIZE_KB\": \"$GH_AW_ASSETS_MAX_SIZE_KB\",\n") yaml.WriteString(" \"GH_AW_ASSETS_ALLOWED_EXTS\": \"$GH_AW_ASSETS_ALLOWED_EXTS\",\n") @@ -223,7 +222,7 @@ func renderSafeOutputsMCPConfigTOML(yaml *strings.Builder) { yaml.WriteString(" args = [\n") yaml.WriteString(" \"/tmp/gh-aw/safeoutputs/mcp-server.cjs\",\n") yaml.WriteString(" ]\n") - yaml.WriteString(" env = { \"GH_AW_SAFE_OUTPUTS\" = \"${{ env.GH_AW_SAFE_OUTPUTS }}\", \"GH_AW_SAFE_OUTPUTS_CONFIG\" = ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }}, \"GH_AW_ASSETS_BRANCH\" = \"${{ env.GH_AW_ASSETS_BRANCH }}\", \"GH_AW_ASSETS_MAX_SIZE_KB\" = \"${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}\", \"GH_AW_ASSETS_ALLOWED_EXTS\" = \"${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}\", \"GITHUB_REPOSITORY\" = \"${{ github.repository }}\", \"GITHUB_SERVER_URL\" = \"${{ github.server_url }}\" }\n") + yaml.WriteString(" env = { \"GH_AW_SAFE_OUTPUTS\" = \"${{ env.GH_AW_SAFE_OUTPUTS }}\", \"GH_AW_ASSETS_BRANCH\" = \"${{ env.GH_AW_ASSETS_BRANCH }}\", \"GH_AW_ASSETS_MAX_SIZE_KB\" = \"${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}\", \"GH_AW_ASSETS_ALLOWED_EXTS\" = \"${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}\", \"GITHUB_REPOSITORY\" = \"${{ github.repository }}\", \"GITHUB_SERVER_URL\" = \"${{ github.server_url }}\" }\n") } // renderAgenticWorkflowsMCPConfigTOML generates the Agentic Workflows MCP server configuration in TOML format for Codex diff --git a/pkg/workflow/mcp_config_refactor_test.go b/pkg/workflow/mcp_config_refactor_test.go index d78fd4a496f..be2647fa649 100644 --- a/pkg/workflow/mcp_config_refactor_test.go +++ b/pkg/workflow/mcp_config_refactor_test.go @@ -123,11 +123,11 @@ func TestRenderSafeOutputsMCPConfigWithOptions(t *testing.T) { `"tools": ["*"]`, `"env": {`, `"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}"`, - `"GH_AW_SAFE_OUTPUTS_CONFIG": "\${GH_AW_SAFE_OUTPUTS_CONFIG}"`, ` }`, }, unexpectedContent: []string{ `${{ env.`, + `GH_AW_SAFE_OUTPUTS_CONFIG`, // Config is now in file, not env var }, }, { @@ -140,7 +140,6 @@ func TestRenderSafeOutputsMCPConfigWithOptions(t *testing.T) { `"args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"]`, // Security fix: Now uses shell variables instead of GitHub expressions `"GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS"`, - `"GH_AW_SAFE_OUTPUTS_CONFIG": $GH_AW_SAFE_OUTPUTS_CONFIG`, ` },`, }, unexpectedContent: []string{ @@ -150,6 +149,7 @@ func TestRenderSafeOutputsMCPConfigWithOptions(t *testing.T) { // Verify GitHub expressions are NOT in the output (security fix) `${{ env.`, `${{ toJSON(`, + `GH_AW_SAFE_OUTPUTS_CONFIG`, // Config is now in file, not env var }, }, } @@ -321,7 +321,11 @@ func TestRenderSafeOutputsMCPConfigTOML(t *testing.T) { `"/tmp/gh-aw/safeoutputs/mcp-server.cjs"`, `env = {`, `"GH_AW_SAFE_OUTPUTS" = "${{ env.GH_AW_SAFE_OUTPUTS }}"`, - `${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }}`, + } + + unexpectedContent := []string{ + `GH_AW_SAFE_OUTPUTS_CONFIG`, // Config is now in file, not env var + `${{ toJSON(`, } for _, expected := range expectedContent { @@ -329,6 +333,12 @@ func TestRenderSafeOutputsMCPConfigTOML(t *testing.T) { t.Errorf("Expected content not found: %q\nActual output:\n%s", expected, result) } } + + for _, unexpected := range unexpectedContent { + if strings.Contains(result, unexpected) { + t.Errorf("Unexpected content found: %q\nActual output:\n%s", unexpected, result) + } + } } // TestRenderAgenticWorkflowsMCPConfigTOML verifies the Agentic Workflows TOML format helper diff --git a/pkg/workflow/mcp_config_shared_test.go b/pkg/workflow/mcp_config_shared_test.go index d7801e6066d..495f3335096 100644 --- a/pkg/workflow/mcp_config_shared_test.go +++ b/pkg/workflow/mcp_config_shared_test.go @@ -99,7 +99,6 @@ func TestRenderSafeOutputsMCPConfigShared(t *testing.T) { `"command": "node"`, `"/tmp/gh-aw/safeoutputs/mcp-server.cjs"`, `"GH_AW_SAFE_OUTPUTS"`, - `"GH_AW_SAFE_OUTPUTS_CONFIG"`, `"GH_AW_ASSETS_BRANCH"`, `"GH_AW_ASSETS_MAX_SIZE_KB"`, `"GH_AW_ASSETS_ALLOWED_EXTS"`, diff --git a/pkg/workflow/mcp_servers.go b/pkg/workflow/mcp_servers.go index 899f6ffd148..8a18f097084 100644 --- a/pkg/workflow/mcp_servers.go +++ b/pkg/workflow/mcp_servers.go @@ -179,7 +179,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Add safe-outputs env vars if present if hasSafeOutputs { yaml.WriteString(" GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG: ${{ toJSON(env.GH_AW_SAFE_OUTPUTS_CONFIG) }}\n") + // Config is now read from file, not passed as env var yaml.WriteString(" GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }}\n") yaml.WriteString(" GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}\n") yaml.WriteString(" GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}\n") diff --git a/pkg/workflow/safe_output_helpers_test.go b/pkg/workflow/safe_output_helpers_test.go index b3417a8d744..392c3f8e716 100644 --- a/pkg/workflow/safe_output_helpers_test.go +++ b/pkg/workflow/safe_output_helpers_test.go @@ -224,8 +224,7 @@ func TestApplySafeOutputEnvToMap(t *testing.T) { SafeOutputs: &SafeOutputsConfig{}, }, expected: map[string]string{ - "GH_AW_SAFE_OUTPUTS": "${{ env.GH_AW_SAFE_OUTPUTS }}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\"{}\"", + "GH_AW_SAFE_OUTPUTS": "${{ env.GH_AW_SAFE_OUTPUTS }}", }, }, { @@ -237,7 +236,6 @@ func TestApplySafeOutputEnvToMap(t *testing.T) { }, expected: map[string]string{ "GH_AW_SAFE_OUTPUTS": "${{ env.GH_AW_SAFE_OUTPUTS }}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\"{}\"", "GH_AW_SAFE_OUTPUTS_STAGED": "true", }, }, @@ -250,7 +248,6 @@ func TestApplySafeOutputEnvToMap(t *testing.T) { }, expected: map[string]string{ "GH_AW_SAFE_OUTPUTS": "${{ env.GH_AW_SAFE_OUTPUTS }}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\"{}\"", "GH_AW_SAFE_OUTPUTS_STAGED": "true", "GH_AW_TARGET_REPO_SLUG": "owner/repo", }, @@ -268,7 +265,6 @@ func TestApplySafeOutputEnvToMap(t *testing.T) { }, expected: map[string]string{ "GH_AW_SAFE_OUTPUTS": "${{ env.GH_AW_SAFE_OUTPUTS }}", - "GH_AW_SAFE_OUTPUTS_CONFIG": "\"{\\\"upload_asset\\\":{}}\"", "GH_AW_ASSETS_BRANCH": "\"gh-aw-assets\"", "GH_AW_ASSETS_MAX_SIZE_KB": "10240", "GH_AW_ASSETS_ALLOWED_EXTS": "\".png,.jpg,.jpeg\"", diff --git a/pkg/workflow/safe_outputs.go b/pkg/workflow/safe_outputs.go index 891a4a8da7c..7d671e10e86 100644 --- a/pkg/workflow/safe_outputs.go +++ b/pkg/workflow/safe_outputs.go @@ -746,9 +746,6 @@ func applySafeOutputEnvToMap(env map[string]string, data *WorkflowData) { env["GH_AW_SAFE_OUTPUTS"] = "${{ env.GH_AW_SAFE_OUTPUTS }}" - safeOutputConfig := generateSafeOutputsConfig(data) - env["GH_AW_SAFE_OUTPUTS_CONFIG"] = fmt.Sprintf("%q", safeOutputConfig) - // Add staged flag if specified if data.TrialMode || data.SafeOutputs.Staged { env["GH_AW_SAFE_OUTPUTS_STAGED"] = "true" diff --git a/pkg/workflow/safe_outputs_mcp_integration_test.go b/pkg/workflow/safe_outputs_mcp_integration_test.go index e4cf2209194..21284c73414 100644 --- a/pkg/workflow/safe_outputs_mcp_integration_test.go +++ b/pkg/workflow/safe_outputs_mcp_integration_test.go @@ -73,9 +73,14 @@ Test safe outputs workflow with MCP server integration. t.Error("Expected safeoutputs MCP server to be configured with node command") } - // Check that safe outputs config is properly set - if !strings.Contains(yamlStr, "GH_AW_SAFE_OUTPUTS_CONFIG") { - t.Error("Expected GH_AW_SAFE_OUTPUTS_CONFIG environment variable to be set") + // Check that safe outputs config is written to file, not as environment variable + if strings.Contains(yamlStr, "GH_AW_SAFE_OUTPUTS_CONFIG:") { + t.Error("GH_AW_SAFE_OUTPUTS_CONFIG should NOT be in environment variables - config is now in file") + } + + // Check that config file is created + if !strings.Contains(yamlStr, "cat > /tmp/gh-aw/safeoutputs/config.json") { + t.Error("Expected config file to be created") } t.Log("Safe outputs MCP server integration test passed") diff --git a/pkg/workflow/safe_outputs_mcp_server_test.go b/pkg/workflow/safe_outputs_mcp_server_test.go index bd4c39fc8cb..7249be46e78 100644 --- a/pkg/workflow/safe_outputs_mcp_server_test.go +++ b/pkg/workflow/safe_outputs_mcp_server_test.go @@ -37,12 +37,22 @@ func NewMCPTestClient(t *testing.T, outputFile string, config map[string]any) *M env = append(env, "GITHUB_SERVER_URL=https://github.com") env = append(env, "GITHUB_REPOSITORY=test/repo") + // Write config to file in the same directory as the output file if config != nil { + configFile := filepath.Join(filepath.Dir(outputFile), "config.json") configJSON, err := json.Marshal(config) if err != nil { t.Fatalf("Failed to marshal config: %v", err) } - env = append(env, fmt.Sprintf("GH_AW_SAFE_OUTPUTS_CONFIG=%s", string(configJSON))) + if err := os.WriteFile(configFile, configJSON, 0644); err != nil { + t.Fatalf("Failed to write config file: %v", err) + } + // Set config path environment variable to point to the test config file + env = append(env, fmt.Sprintf("GH_AW_SAFE_OUTPUTS_CONFIG_PATH=%s", configFile)) + // Clean up config file after test + t.Cleanup(func() { + os.Remove(configFile) + }) } // Create command for the MCP server From f617b698d67c7e40bc56f3dbdcb4fce50c1d6fad Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 3 Nov 2025 20:29:02 +0000 Subject: [PATCH 4/7] Fix TypeScript error and update JS tests for file-based config Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 11 ++++++- .github/workflows/audit-workflows.lock.yml | 11 ++++++- .github/workflows/blog-auditor.lock.yml | 11 ++++++- .github/workflows/brave.lock.yml | 11 ++++++- .github/workflows/changeset.lock.yml | 11 ++++++- .github/workflows/ci-doctor.lock.yml | 11 ++++++- .../workflows/cli-version-checker.lock.yml | 11 ++++++- .../commit-changes-analyzer.lock.yml | 11 ++++++- .../workflows/copilot-agent-analysis.lock.yml | 11 ++++++- .../copilot-pr-prompt-analysis.lock.yml | 11 ++++++- .../copilot-session-insights.lock.yml | 11 ++++++- .github/workflows/craft.lock.yml | 11 ++++++- .github/workflows/daily-doc-updater.lock.yml | 11 ++++++- .../workflows/daily-firewall-report.lock.yml | 11 ++++++- .github/workflows/daily-news.lock.yml | 11 ++++++- .../workflows/daily-perf-improver.lock.yml | 11 ++++++- .../workflows/daily-repo-chronicle.lock.yml | 11 ++++++- .../workflows/daily-test-improver.lock.yml | 11 ++++++- .github/workflows/dev-hawk.lock.yml | 11 ++++++- .github/workflows/dev.lock.yml | 11 ++++++- .github/workflows/dictation-prompt.lock.yml | 11 ++++++- .../duplicate-code-detector.lock.yml | 11 ++++++- .../example-workflow-analyzer.lock.yml | 11 ++++++- .../github-mcp-tools-report.lock.yml | 11 ++++++- .github/workflows/go-logger.lock.yml | 11 ++++++- .../workflows/go-pattern-detector.lock.yml | 11 ++++++- .../workflows/instructions-janitor.lock.yml | 11 ++++++- .github/workflows/issue-classifier.lock.yml | 11 ++++++- .github/workflows/lockfile-stats.lock.yml | 11 ++++++- .github/workflows/mcp-inspector.lock.yml | 11 ++++++- .github/workflows/mergefest.lock.yml | 11 ++++++- .../workflows/notion-issue-summary.lock.yml | 11 ++++++- .github/workflows/pdf-summary.lock.yml | 11 ++++++- .github/workflows/plan.lock.yml | 11 ++++++- .github/workflows/poem-bot.lock.yml | 11 ++++++- .../prompt-clustering-analysis.lock.yml | 11 ++++++- .github/workflows/python-data-charts.lock.yml | 11 ++++++- .github/workflows/q.lock.yml | 11 ++++++- .github/workflows/repo-tree-map.lock.yml | 11 ++++++- .github/workflows/research.lock.yml | 11 ++++++- .github/workflows/safe-output-health.lock.yml | 11 ++++++- .../schema-consistency-checker.lock.yml | 11 ++++++- .github/workflows/scout.lock.yml | 11 ++++++- .github/workflows/security-fix-pr.lock.yml | 11 ++++++- .../semantic-function-refactor.lock.yml | 11 ++++++- .github/workflows/smoke-claude.lock.yml | 11 ++++++- .github/workflows/smoke-codex.lock.yml | 11 ++++++- .../workflows/smoke-copilot.firewall.lock.yml | 11 ++++++- .github/workflows/smoke-copilot.lock.yml | 11 ++++++- .github/workflows/smoke-detector.lock.yml | 11 ++++++- .github/workflows/smoke-opencode.lock.yml | 11 ++++++- .../workflows/static-analysis-report.lock.yml | 11 ++++++- .../workflows/technical-doc-writer.lock.yml | 11 ++++++- .../test-ollama-threat-detection.lock.yml | 11 ++++++- .github/workflows/tidy.lock.yml | 11 ++++++- .github/workflows/unbloat-docs.lock.yml | 11 ++++++- .github/workflows/video-analyzer.lock.yml | 11 ++++++- .../workflows/weekly-issue-summary.lock.yml | 11 ++++++- pkg/workflow/js/collect_ndjson_output.cjs | 4 +-- .../safe_outputs_mcp_server_defaults.test.cjs | 31 ++++++++++++++++--- 60 files changed, 608 insertions(+), 65 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 0d7314e73fd..898962d2782 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -2014,7 +2014,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 0c64e00d2cb..d7fab5a091b 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -3054,7 +3054,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 3fecf2999bf..c0e7d18cad6 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -2404,7 +2404,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index e34e9ab2e28..ee0648c5085 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -2942,7 +2942,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 5123b90a903..85cccd29d4d 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -2620,7 +2620,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 9183612c3e9..5986d32df51 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -2473,7 +2473,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 9d257f6876d..28281a35f61 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -2119,7 +2119,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 250da4bb379..46339b82c24 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -2335,7 +2335,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index a67ec303d3e..d43a9cb04b7 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -2687,7 +2687,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 71e61a921b3..90bb711bb9b 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -2356,7 +2356,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index eee89a817d0..460f3db0f26 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -3595,7 +3595,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 00f5ebf34aa..64287d66235 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -3094,7 +3094,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 7b40b8717c9..789a190e0b3 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -2270,7 +2270,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 3e552e7543c..243b42abb72 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -2736,7 +2736,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index cd933702c36..b1c23338415 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -2712,7 +2712,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/daily-perf-improver.lock.yml b/.github/workflows/daily-perf-improver.lock.yml index ad6f2190183..763a03bad65 100644 --- a/.github/workflows/daily-perf-improver.lock.yml +++ b/.github/workflows/daily-perf-improver.lock.yml @@ -2521,7 +2521,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 3f8f391cac8..16314bdc8f0 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -2603,7 +2603,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/daily-test-improver.lock.yml b/.github/workflows/daily-test-improver.lock.yml index e24d068ce47..5e5b61a2863 100644 --- a/.github/workflows/daily-test-improver.lock.yml +++ b/.github/workflows/daily-test-improver.lock.yml @@ -2495,7 +2495,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index ce0b4d60608..9e8bab76a3f 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -2367,7 +2367,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index c4f9a992415..0366ca24536 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1914,7 +1914,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 7ff175ae605..94f666b9763 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -2004,7 +2004,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index a80d33682a1..4f2e34abf04 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -2090,7 +2090,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 3bd16a83d77..ed94017a174 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -2118,7 +2118,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 258e6d0390e..52c081f3c52 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -2634,7 +2634,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index e9fcc3e581e..f163770433c 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -2389,7 +2389,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 74a5a699a31..0ef960ed88d 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -2166,7 +2166,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index d3e98bdfc1f..7d036e7ad95 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -2268,7 +2268,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index f43947c0c28..32b2ac22d31 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -2631,7 +2631,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index ef189e19ff8..02c3bed487f 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -2472,7 +2472,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 27024f90e60..7f9424b7de6 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -2586,7 +2586,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 552f46436c7..8c585f6b696 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -2571,7 +2571,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index d12901916cb..3c1c8699bb5 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -1873,7 +1873,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 9523d06f63c..a8f069a7a66 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -3047,7 +3047,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index cfb9261fbd9..a1ee2266609 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -2543,7 +2543,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 26bbf7a24f0..d91e4af6893 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -3282,7 +3282,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 09e320683bd..5f8906a0cb8 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -2807,7 +2807,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index dd10d1a5c64..a14d4afee22 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -2313,7 +2313,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index a0aa2dfdc1e..7f9a35376a3 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -3397,7 +3397,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 258b3f03c6c..b3f870e55c1 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -2038,7 +2038,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 52eea6b63a7..9de795607ad 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -1979,7 +1979,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 2fc4aa2951c..c7181578c8e 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -2604,7 +2604,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index ee4eb4428ec..5c86665a8ea 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -2474,7 +2474,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index d8280cafd6c..30494a855e1 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -3429,7 +3429,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 943ae1202c2..8e34252524d 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -2216,7 +2216,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 68a1c138914..d5b827bc413 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -2566,7 +2566,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index de1e65d869e..32bf6ac984a 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2017,7 +2017,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 5e36d8f8a8d..8f6cb26c57c 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1831,7 +1831,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 2afb0f6ab5d..147562fed3c 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -1902,7 +1902,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index f65c7735719..277d79b467c 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1902,7 +1902,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index ce25cb53712..e1f14c20682 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -3056,7 +3056,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 4d79212cea8..866b634ec46 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1864,7 +1864,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 11fc92bcd31..56b94f4a6d2 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -2493,7 +2493,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index e29894996a4..ff58243db67 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -2754,7 +2754,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/test-ollama-threat-detection.lock.yml b/.github/workflows/test-ollama-threat-detection.lock.yml index 18b2a167b89..c22ab29716c 100644 --- a/.github/workflows/test-ollama-threat-detection.lock.yml +++ b/.github/workflows/test-ollama-threat-detection.lock.yml @@ -1845,7 +1845,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 7fda88ab91b..67487f57a65 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -2373,7 +2373,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index f0872ba6c68..45e2c6ab258 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -3181,7 +3181,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index f9545ed30af..044e111f9de 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -2136,7 +2136,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index b1068e7886a..bc9bd854a79 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -2514,7 +2514,16 @@ jobs: } } const outputFile = process.env.GH_AW_SAFE_OUTPUTS; - const safeOutputsConfig = process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json"; + let safeOutputsConfig; + try { + if (fs.existsSync(configPath)) { + const configFileContent = fs.readFileSync(configPath, "utf8"); + safeOutputsConfig = JSON.parse(configFileContent); + } + } catch (error) { + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); + } if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/pkg/workflow/js/collect_ndjson_output.cjs b/pkg/workflow/js/collect_ndjson_output.cjs index aae8c9bbf11..f445d55657f 100644 --- a/pkg/workflow/js/collect_ndjson_output.cjs +++ b/pkg/workflow/js/collect_ndjson_output.cjs @@ -311,9 +311,9 @@ async function main() { safeOutputsConfig = JSON.parse(configFileContent); } } catch (error) { - core.warning(`Failed to read config file from ${configPath}: ${error.message}`); + core.warning(`Failed to read config file from ${configPath}: ${error instanceof Error ? error.message : String(error)}`); } - + if (!outputFile) { core.info("GH_AW_SAFE_OUTPUTS not set, no output to collect"); core.setOutput("output", ""); diff --git a/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs b/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs index 2e7e38af88a..a98cf072593 100644 --- a/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs +++ b/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs @@ -17,6 +17,15 @@ describe("safe_outputs_mcp_server.cjs defaults handling", () => { fs.mkdirSync(tempOutputDir, { recursive: true }); tempConfigFile = path.join(tempOutputDir, "config.json"); + + // Create default config directory and file for all tests + const defaultConfigDir = "/tmp/gh-aw/safeoutputs"; + if (!fs.existsSync(defaultConfigDir)) { + fs.mkdirSync(defaultConfigDir, { recursive: true }); + } + const defaultConfigPath = path.join(defaultConfigDir, "config.json"); + // Create a minimal default config + fs.writeFileSync(defaultConfigPath, JSON.stringify({ create_issue: true, missing_tool: true })); }); afterEach(() => { @@ -34,14 +43,18 @@ describe("safe_outputs_mcp_server.cjs defaults handling", () => { it("should use default output file when GH_AW_SAFE_OUTPUTS is not set", async () => { // Remove environment variables delete process.env.GH_AW_SAFE_OUTPUTS; - delete process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + delete process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH; - // Create default directories + // Create default directories and default config file const defaultOutputDir = "/tmp/gh-aw/safeoutputs"; if (!fs.existsSync(defaultOutputDir)) { fs.mkdirSync(defaultOutputDir, { recursive: true }); } + // Write a default config file so the server can start + const defaultConfigPath = path.join(defaultOutputDir, "config.json"); + fs.writeFileSync(defaultConfigPath, JSON.stringify({ create_issue: true, missing_tool: true })); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -105,7 +118,7 @@ describe("safe_outputs_mcp_server.cjs defaults handling", () => { it("should read config from default file when config file exists", async () => { // Remove environment variables delete process.env.GH_AW_SAFE_OUTPUTS; - delete process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + delete process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH; // Create default config file const defaultConfigDir = "/tmp/gh-aw/safeoutputs"; @@ -185,7 +198,7 @@ describe("safe_outputs_mcp_server.cjs defaults handling", () => { it("should use empty config when default file does not exist", async () => { // Remove environment variables delete process.env.GH_AW_SAFE_OUTPUTS; - delete process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + delete process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH; // Ensure default config file does not exist const defaultConfigFile = "/tmp/gh-aw/safeoutputs/config.json"; @@ -254,13 +267,21 @@ describe("safe_outputs_mcp_server.cjs defaults handling", () => { // Set GH_AW_SAFE_OUTPUTS to a path that doesn't exist yet process.env.GH_AW_SAFE_OUTPUTS = testOutputFile; - delete process.env.GH_AW_SAFE_OUTPUTS_CONFIG; + delete process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH; // Ensure the directory does NOT exist before starting if (fs.existsSync(testOutputDir)) { fs.rmSync(testOutputDir, { recursive: true, force: true }); } + // Create default config file so the server can start + const defaultConfigDir = "/tmp/gh-aw/safeoutputs"; + if (!fs.existsSync(defaultConfigDir)) { + fs.mkdirSync(defaultConfigDir, { recursive: true }); + } + const defaultConfigPath = path.join(defaultConfigDir, "config.json"); + fs.writeFileSync(defaultConfigPath, JSON.stringify({ create_issue: true, missing_tool: true })); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { From 3840332da8b667928c222939670866e505d6211e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 3 Nov 2025 21:23:02 +0000 Subject: [PATCH 5/7] Fix output collection to handle parsed config object instead of JSON string Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 3 +- .github/workflows/audit-workflows.lock.yml | 3 +- .github/workflows/blog-auditor.lock.yml | 3 +- .github/workflows/brave.lock.yml | 3 +- .github/workflows/changeset.lock.yml | 3 +- .github/workflows/ci-doctor.lock.yml | 3 +- .../workflows/cli-version-checker.lock.yml | 3 +- .../commit-changes-analyzer.lock.yml | 3 +- .../workflows/copilot-agent-analysis.lock.yml | 3 +- .../copilot-pr-prompt-analysis.lock.yml | 3 +- .../copilot-session-insights.lock.yml | 3 +- .github/workflows/craft.lock.yml | 3 +- .github/workflows/daily-doc-updater.lock.yml | 3 +- .../workflows/daily-firewall-report.lock.yml | 3 +- .github/workflows/daily-news.lock.yml | 3 +- .../workflows/daily-perf-improver.lock.yml | 3 +- .../workflows/daily-repo-chronicle.lock.yml | 3 +- .../workflows/daily-test-improver.lock.yml | 3 +- .github/workflows/dev-hawk.lock.yml | 3 +- .github/workflows/dev.lock.yml | 3 +- .github/workflows/dictation-prompt.lock.yml | 3 +- .../duplicate-code-detector.lock.yml | 3 +- .../example-workflow-analyzer.lock.yml | 3 +- .../github-mcp-tools-report.lock.yml | 3 +- .github/workflows/go-logger.lock.yml | 3 +- .../workflows/go-pattern-detector.lock.yml | 3 +- .../workflows/instructions-janitor.lock.yml | 3 +- .github/workflows/issue-classifier.lock.yml | 3 +- .github/workflows/lockfile-stats.lock.yml | 3 +- .github/workflows/mcp-inspector.lock.yml | 3 +- .github/workflows/mergefest.lock.yml | 3 +- .../workflows/notion-issue-summary.lock.yml | 3 +- .github/workflows/pdf-summary.lock.yml | 3 +- .github/workflows/plan.lock.yml | 3 +- .github/workflows/poem-bot.lock.yml | 3 +- .../prompt-clustering-analysis.lock.yml | 3 +- .github/workflows/python-data-charts.lock.yml | 3 +- .github/workflows/q.lock.yml | 3 +- .github/workflows/repo-tree-map.lock.yml | 3 +- .github/workflows/research.lock.yml | 3 +- .github/workflows/safe-output-health.lock.yml | 3 +- .../schema-consistency-checker.lock.yml | 3 +- .github/workflows/scout.lock.yml | 3 +- .github/workflows/security-fix-pr.lock.yml | 3 +- .../semantic-function-refactor.lock.yml | 3 +- .github/workflows/smoke-claude.lock.yml | 3 +- .github/workflows/smoke-codex.lock.yml | 3 +- .../workflows/smoke-copilot.firewall.lock.yml | 3 +- .github/workflows/smoke-copilot.lock.yml | 3 +- .github/workflows/smoke-detector.lock.yml | 3 +- .github/workflows/smoke-opencode.lock.yml | 3 +- .../workflows/static-analysis-report.lock.yml | 3 +- .../workflows/technical-doc-writer.lock.yml | 3 +- .../test-ollama-threat-detection.lock.yml | 3 +- .github/workflows/tidy.lock.yml | 3 +- .github/workflows/unbloat-docs.lock.yml | 3 +- .github/workflows/video-analyzer.lock.yml | 3 +- .../workflows/weekly-issue-summary.lock.yml | 3 +- pkg/workflow/js/collect_ndjson_output.cjs | 4 +- .../js/collect_ndjson_output.test.cjs | 410 ++++++++++++++---- 60 files changed, 388 insertions(+), 200 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 898962d2782..c98da4a2ac1 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -2042,8 +2042,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index d7fab5a091b..0af9e4cac89 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -3082,8 +3082,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index c0e7d18cad6..97f255808b0 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -2432,8 +2432,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index ee0648c5085..1b235529ce9 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -2970,8 +2970,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 85cccd29d4d..f00e115174b 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -2648,8 +2648,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 5986d32df51..b3eb0818aea 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -2501,8 +2501,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 28281a35f61..6b7a628abdd 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -2147,8 +2147,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 46339b82c24..2ba04ec0d44 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -2363,8 +2363,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index d43a9cb04b7..55992ed86dc 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -2715,8 +2715,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 90bb711bb9b..33a3df879d5 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -2384,8 +2384,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 460f3db0f26..1b184b22bfb 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -3623,8 +3623,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 64287d66235..cb169df044e 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -3122,8 +3122,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 789a190e0b3..b3858c94214 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -2298,8 +2298,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 243b42abb72..54e7c83ea86 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -2764,8 +2764,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index b1c23338415..b6f340f0116 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -2740,8 +2740,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/daily-perf-improver.lock.yml b/.github/workflows/daily-perf-improver.lock.yml index 763a03bad65..272cfb34764 100644 --- a/.github/workflows/daily-perf-improver.lock.yml +++ b/.github/workflows/daily-perf-improver.lock.yml @@ -2549,8 +2549,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 16314bdc8f0..aa80f8650f7 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -2631,8 +2631,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/daily-test-improver.lock.yml b/.github/workflows/daily-test-improver.lock.yml index 5e5b61a2863..3fae8a56e4c 100644 --- a/.github/workflows/daily-test-improver.lock.yml +++ b/.github/workflows/daily-test-improver.lock.yml @@ -2523,8 +2523,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 9e8bab76a3f..b22f336cff2 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -2395,8 +2395,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 0366ca24536..495794d2759 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1942,8 +1942,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 94f666b9763..24f670275a0 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -2032,8 +2032,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 4f2e34abf04..e19b9bb706a 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -2118,8 +2118,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index ed94017a174..6aea651517d 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -2146,8 +2146,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 52c081f3c52..e0a7b3c6e3c 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -2662,8 +2662,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index f163770433c..5a2334e426d 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -2417,8 +2417,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 0ef960ed88d..eb8ed0fbfc1 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -2194,8 +2194,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 7d036e7ad95..7fdf8b7c1fe 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -2296,8 +2296,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index 32b2ac22d31..dbc7282edb7 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -2659,8 +2659,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 02c3bed487f..9bbe663601c 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -2500,8 +2500,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 7f9424b7de6..1376951d7e2 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -2614,8 +2614,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 8c585f6b696..28cb9e65795 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -2599,8 +2599,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 3c1c8699bb5..5d63a98e675 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -1901,8 +1901,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index a8f069a7a66..6f9277c6161 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -3075,8 +3075,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index a1ee2266609..6634cf7b69e 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -2571,8 +2571,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index d91e4af6893..5df8a84d8ab 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -3310,8 +3310,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 5f8906a0cb8..f1ee2777067 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -2835,8 +2835,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index a14d4afee22..70696d1badc 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -2341,8 +2341,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 7f9a35376a3..8fbcd33c8c9 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -3425,8 +3425,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index b3f870e55c1..016c710b78e 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -2066,8 +2066,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 9de795607ad..f36a07dcdfa 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -2007,8 +2007,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index c7181578c8e..3f6d213323b 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -2632,8 +2632,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 5c86665a8ea..98aadaa56b7 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -2502,8 +2502,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 30494a855e1..a933005d71b 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -3457,8 +3457,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 8e34252524d..fd566a96b56 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -2244,8 +2244,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index d5b827bc413..3dbfc32a1f2 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -2594,8 +2594,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 32bf6ac984a..76afad19065 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2045,8 +2045,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 8f6cb26c57c..ae2ab673b9f 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1859,8 +1859,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 147562fed3c..ea76d8f7b2c 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -1930,8 +1930,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 277d79b467c..dcb9adc23cd 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1930,8 +1930,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index e1f14c20682..c7122379dff 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -3084,8 +3084,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 866b634ec46..2d7ca6355ac 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1892,8 +1892,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 56b94f4a6d2..85276feefd6 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -2521,8 +2521,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index ff58243db67..dea4c20dd0d 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -2782,8 +2782,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/test-ollama-threat-detection.lock.yml b/.github/workflows/test-ollama-threat-detection.lock.yml index c22ab29716c..60b4005e380 100644 --- a/.github/workflows/test-ollama-threat-detection.lock.yml +++ b/.github/workflows/test-ollama-threat-detection.lock.yml @@ -1873,8 +1873,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 67487f57a65..c98e10d0da3 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -2401,8 +2401,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 45e2c6ab258..ee0a992acbb 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -3209,8 +3209,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 044e111f9de..205ec83f8d0 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -2164,8 +2164,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index bc9bd854a79..340dac800d1 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -2542,8 +2542,7 @@ jobs: let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/pkg/workflow/js/collect_ndjson_output.cjs b/pkg/workflow/js/collect_ndjson_output.cjs index f445d55657f..898f171dcfb 100644 --- a/pkg/workflow/js/collect_ndjson_output.cjs +++ b/pkg/workflow/js/collect_ndjson_output.cjs @@ -332,9 +332,9 @@ async function main() { let expectedOutputTypes = {}; if (safeOutputsConfig) { try { - const rawConfig = JSON.parse(safeOutputsConfig); + // safeOutputsConfig is already a parsed object from the file // Normalize all config keys to use underscores instead of dashes - expectedOutputTypes = Object.fromEntries(Object.entries(rawConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); + expectedOutputTypes = Object.fromEntries(Object.entries(safeOutputsConfig).map(([key, value]) => [key.replace(/-/g, "_"), value])); core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`); } catch (error) { const errorMsg = error instanceof Error ? error.message : String(error); diff --git a/pkg/workflow/js/collect_ndjson_output.test.cjs b/pkg/workflow/js/collect_ndjson_output.test.cjs index 829c2c469ab..a0351d6dde9 100644 --- a/pkg/workflow/js/collect_ndjson_output.test.cjs +++ b/pkg/workflow/js/collect_ndjson_output.test.cjs @@ -135,7 +135,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true, "add_comment": true}'; + const __config = '{"create_issue": true, "add_comment": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -157,7 +160,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -179,7 +185,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -203,7 +212,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"add_labels": true}'; + const __config = '{"add_labels": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -226,7 +238,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_pull_request": true}'; + const __config = '{"create_pull_request": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -253,7 +268,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true, "add_comment": true}'; + const __config = '{"create_issue": true, "add_comment": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -273,7 +291,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -296,7 +317,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // Set max to 2 for create_issue - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": {"max": 2}}'; + const __config = '{"create_issue": {"max": 2}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -320,7 +344,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_discussion": true}'; + const __config = '{"create_discussion": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -346,7 +373,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true, "add_comment": true}'; + const __config = '{"create_issue": true, "add_comment": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -369,7 +399,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_pull_request_review_comment": {"max": 10}}'; + const __config = '{"create_pull_request_review_comment": {"max": 10}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -396,7 +429,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_pull_request_review_comment": {"max": 10}}'; + const __config = '{"create_pull_request_review_comment": {"max": 10}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -423,7 +459,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // Set max to 5 for create-pull-request-review-comment - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_pull_request_review_comment": {"max": 5}}'; + const __config = '{"create_pull_request_review_comment": {"max": 5}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -446,7 +485,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -466,7 +508,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -486,7 +531,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -506,7 +554,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -526,7 +577,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -546,7 +600,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -567,7 +624,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -587,7 +647,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -607,7 +670,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"add_labels": true}'; + const __config = '{"add_labels": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -628,7 +694,10 @@ describe("collect_ndjson_output.cjs", () => { fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -654,7 +723,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true, "add_comment": true}'; + const __config = '{"create_issue": true, "add_comment": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -676,7 +748,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -697,7 +772,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -718,7 +796,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -739,7 +820,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"add_labels": true}'; + const __config = '{"add_labels": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -759,7 +843,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"add_labels": true}'; + const __config = '{"add_labels": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -787,7 +874,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -808,7 +898,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -830,7 +923,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -854,7 +950,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -879,7 +978,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -903,7 +1005,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -927,7 +1032,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -951,7 +1059,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -978,7 +1089,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1003,7 +1117,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1026,7 +1143,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1049,7 +1169,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1072,7 +1195,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1093,7 +1219,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1116,7 +1245,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1145,7 +1277,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1165,7 +1300,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1186,7 +1324,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1207,7 +1348,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"add_labels": true}'; + const __config = '{"add_labels": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1228,7 +1372,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1256,7 +1403,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"add_labels": true}'; + const __config = '{"add_labels": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1277,7 +1427,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1301,7 +1454,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true, "add_comment": true}'; + const __config = '{"create_issue": true, "add_comment": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1336,7 +1492,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); // Mock fs.writeFileSync to throw an error for the agent_output.json file const originalWriteFileSync = fs.writeFileSync; @@ -1377,7 +1536,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_code_scanning_alert": true}'; + const __config = '{"create_code_scanning_alert": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1430,7 +1592,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_code_scanning_alert": true}'; + const __config = '{"create_code_scanning_alert": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1457,7 +1622,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_code_scanning_alert": true}'; + const __config = '{"create_code_scanning_alert": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1482,7 +1650,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_code_scanning_alert": true}'; + const __config = '{"create_code_scanning_alert": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1505,7 +1676,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_code_scanning_alert": true}'; + const __config = '{"create_code_scanning_alert": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1532,7 +1706,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_code_scanning_alert": true}'; + const __config = '{"create_code_scanning_alert": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1559,7 +1736,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_code_scanning_alert": true}'; + const __config = '{"create_code_scanning_alert": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1586,7 +1766,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1605,7 +1788,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1623,7 +1809,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1641,7 +1830,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1659,7 +1851,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1677,7 +1872,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1693,7 +1891,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1715,7 +1916,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1734,7 +1938,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1755,7 +1962,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1775,7 +1985,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1797,7 +2010,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1816,7 +2032,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1834,7 +2053,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_pull_request": true}'; + const __config = '{"create_pull_request": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1853,7 +2075,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": true}'; + const __config = '{"create_issue": true}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1874,7 +2099,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // Set min to 2 for create_issue - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": {"min": 2, "max": 5}}'; + const __config = '{"create_issue": {"min": 2, "max": 5}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1894,7 +2122,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // Set min to 3 for create_issue, but we only have 1 item - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": {"min": 3, "max": 5}}'; + const __config = '{"create_issue": {"min": 3, "max": 5}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1917,7 +2148,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // Set min to 1 for create_issue (satisfied) and min to 2 for add-comment (not satisfied) - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": {"min": 1, "max": 5}, "add_comment": {"min": 2, "max": 5}}'; + const __config = '{"create_issue": {"min": 1, "max": 5}, "add_comment": {"min": 2, "max": 5}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1938,7 +2172,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // Set min to 0 for create_issue (should be ignored) - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": {"min": 0, "max": 5}}'; + const __config = '{"create_issue": {"min": 0, "max": 5}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1958,7 +2195,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // No min specified, should default to 0 - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": {"max": 5}}'; + const __config = '{"create_issue": {"max": 5}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -1978,7 +2218,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // Set min to 1 for create_issue, but no items present - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"create_issue": {"min": 1, "max": 5}}'; + const __config = '{"create_issue": {"min": 1, "max": 5}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); @@ -2001,7 +2244,10 @@ Line 3"} fs.writeFileSync(testFile, ndjsonContent); process.env.GH_AW_SAFE_OUTPUTS = testFile; // Set min requirements for different types - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = '{"add_comment": {"min": 2, "max": 5}, "create_discussion": {"min": 1, "max": 5}}'; + const __config = '{"add_comment": {"min": 2, "max": 5}, "create_discussion": {"min": 1, "max": 5}}'; + const configPath = "/tmp/gh-aw/safeoutputs/config.json"; + fs.mkdirSync("/tmp/gh-aw/safeoutputs", { recursive: true }); + fs.writeFileSync(configPath, __config); await eval(`(async () => { ${collectScript} })()`); From b8fb1f619932a205d2f24cc7b094982af253a5df Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 3 Nov 2025 21:37:37 +0000 Subject: [PATCH 6/7] Fix safe_outputs_mcp_large_content.test.cjs to use config file path instead of content Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/js/safe_outputs_mcp_large_content.test.cjs | 8 ++++---- pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/workflow/js/safe_outputs_mcp_large_content.test.cjs b/pkg/workflow/js/safe_outputs_mcp_large_content.test.cjs index 02690469f9e..dea1b1ed814 100644 --- a/pkg/workflow/js/safe_outputs_mcp_large_content.test.cjs +++ b/pkg/workflow/js/safe_outputs_mcp_large_content.test.cjs @@ -39,7 +39,7 @@ describe("safe_outputs_mcp_server.cjs large content handling", () => { it("should write large content to file when exceeding 16000 tokens", async () => { // Set up environment process.env.GH_AW_SAFE_OUTPUTS = tempOutputFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = fs.readFileSync(tempConfigFile, "utf8"); + process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH = tempConfigFile; const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); @@ -171,7 +171,7 @@ describe("safe_outputs_mcp_server.cjs large content handling", () => { it("should handle normal content without writing to file", async () => { // Set up environment process.env.GH_AW_SAFE_OUTPUTS = tempOutputFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = fs.readFileSync(tempConfigFile, "utf8"); + process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH = tempConfigFile; const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); @@ -281,7 +281,7 @@ describe("safe_outputs_mcp_server.cjs large content handling", () => { it("should detect JSON content and use .json extension", async () => { // Set up environment process.env.GH_AW_SAFE_OUTPUTS = tempOutputFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = fs.readFileSync(tempConfigFile, "utf8"); + process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH = tempConfigFile; const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); @@ -403,7 +403,7 @@ describe("safe_outputs_mcp_server.cjs large content handling", () => { it("should always use .json extension even for non-JSON content", async () => { // Set up environment process.env.GH_AW_SAFE_OUTPUTS = tempOutputFile; - process.env.GH_AW_SAFE_OUTPUTS_CONFIG = fs.readFileSync(tempConfigFile, "utf8"); + process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH = tempConfigFile; const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); diff --git a/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs b/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs index a98cf072593..49d22ed80f0 100644 --- a/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs +++ b/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs @@ -107,7 +107,7 @@ describe("safe_outputs_mcp_server.cjs defaults handling", () => { // Check that default paths are mentioned in debug output expect(stderr).toContain("GH_AW_SAFE_OUTPUTS not set, using default: /tmp/gh-aw/safeoutputs/outputs.jsonl"); expect(stderr).toContain( - "GH_AW_SAFE_OUTPUTS_CONFIG not set, attempting to read from default path: /tmp/gh-aw/safeoutputs/config.json" + "Reading config from file: /tmp/gh-aw/safeoutputs/config.json" ); resolve(); From b0ed14008d6e9d4295b8814421fc6fb6c345c979 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 3 Nov 2025 23:21:36 +0000 Subject: [PATCH 7/7] Fix safe_outputs_mcp_server_defaults tests to use file-based config Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../safe_outputs_mcp_server_defaults.test.cjs | 77 ++++++++++++++++--- 1 file changed, 66 insertions(+), 11 deletions(-) diff --git a/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs b/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs index 49d22ed80f0..01bcbee0470 100644 --- a/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs +++ b/pkg/workflow/js/safe_outputs_mcp_server_defaults.test.cjs @@ -354,6 +354,11 @@ describe("safe_outputs_mcp_server.cjs add_labels tool patching", () => { }, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -366,7 +371,7 @@ describe("safe_outputs_mcp_server.cjs add_labels tool patching", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", }, }); @@ -459,6 +464,11 @@ describe("safe_outputs_mcp_server.cjs add_labels tool patching", () => { }, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -471,7 +481,7 @@ describe("safe_outputs_mcp_server.cjs add_labels tool patching", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", }, }); @@ -567,6 +577,11 @@ describe("safe_outputs_mcp_server.cjs update_issue tool patching", () => { }, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -579,7 +594,7 @@ describe("safe_outputs_mcp_server.cjs update_issue tool patching", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", }, }); @@ -669,6 +684,11 @@ describe("safe_outputs_mcp_server.cjs update_issue tool patching", () => { }, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -681,7 +701,7 @@ describe("safe_outputs_mcp_server.cjs update_issue tool patching", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", }, }); @@ -767,6 +787,11 @@ describe("safe_outputs_mcp_server.cjs update_issue tool patching", () => { }, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -779,7 +804,7 @@ describe("safe_outputs_mcp_server.cjs update_issue tool patching", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", }, }); @@ -866,6 +891,11 @@ describe("safe_outputs_mcp_server.cjs upload_asset tool patching", () => { upload_asset: {}, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -878,7 +908,7 @@ describe("safe_outputs_mcp_server.cjs upload_asset tool patching", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", GH_AW_ASSETS_MAX_SIZE_KB: "5120", GH_AW_ASSETS_ALLOWED_EXTS: ".pdf,.txt,.md", @@ -968,6 +998,11 @@ describe("safe_outputs_mcp_server.cjs upload_asset tool patching", () => { upload_asset: {}, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -985,7 +1020,7 @@ describe("safe_outputs_mcp_server.cjs upload_asset tool patching", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...envWithoutAssetVars, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", }, }); @@ -1076,6 +1111,11 @@ describe("safe_outputs_mcp_server.cjs branch parameter handling", () => { create_pull_request: {}, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -1088,7 +1128,7 @@ describe("safe_outputs_mcp_server.cjs branch parameter handling", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", }, }); @@ -1177,6 +1217,11 @@ describe("safe_outputs_mcp_server.cjs branch parameter handling", () => { push_to_pull_request_branch: {}, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -1189,7 +1234,7 @@ describe("safe_outputs_mcp_server.cjs branch parameter handling", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs.jsonl", }, }); @@ -1281,6 +1326,11 @@ describe("safe_outputs_mcp_server.cjs tool call response format", () => { create_issue: {}, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -1293,7 +1343,7 @@ describe("safe_outputs_mcp_server.cjs tool call response format", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs-iserror.jsonl", }, }); @@ -1382,6 +1432,11 @@ describe("safe_outputs_mcp_server.cjs tool call response format", () => { create_issue: {}, }; + + // Write config to temporary file + const tempConfigPath = path.join("/tmp", `test-config-${Date.now()}-${Math.random().toString(36).substring(7)}.json`); + fs.writeFileSync(tempConfigPath, JSON.stringify(config)); + const serverPath = path.join(__dirname, "safe_outputs_mcp_server.cjs"); return new Promise((resolve, reject) => { @@ -1394,7 +1449,7 @@ describe("safe_outputs_mcp_server.cjs tool call response format", () => { stdio: ["pipe", "pipe", "pipe"], env: { ...process.env, - GH_AW_SAFE_OUTPUTS_CONFIG: JSON.stringify(config), + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: tempConfigPath, GH_AW_SAFE_OUTPUTS: "/tmp/gh-aw/test-outputs-json-response.jsonl", }, });