Skip to content

Merge main branch and recompile workflows #7608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 11 commits into from
Dec 25, 2025
Merged

Merge main branch and recompile workflows #7608

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
137528b
Replace custom JSON handler with StreamableHTTPHandler in mcp-gateway…
Copilot Dec 25, 2025
7a3e1e7
Add oneOf schema constraints for mutually exclusive field pairs (#7583)
Copilot Dec 25, 2025
de8b23c
Add debug logging to CLI utility and configuration files (#7594)
github-actions[bot] Dec 25, 2025
960d768
Make actions/setup/ the source of truth for both shell and JavaScript…
Copilot Dec 25, 2025
5c6cfec
Consolidate MCPServerConfig into single definition in parser package …
Copilot Dec 25, 2025
3642f04
Add minItems constraints to array fields requiring values (#7597)
Copilot Dec 25, 2025
5a344f7
Migrate MCP relationship prose to JSON Schema constraints with $comme…
Copilot Dec 25, 2025
9e54901
Optimize CI integration test matrix by splitting bottleneck groups (#…
Copilot Dec 25, 2025
71967e9
Initial plan
Copilot Dec 25, 2025
956a987
Merge main branch
Copilot Dec 25, 2025
21ff090
Recompile workflows after merging main
Copilot Dec 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitattributes
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@
.github/aw/github-agentic-workflows.md linguist-generated=true merge=ours
pkg/cli/workflows/*.lock.yml linguist-generated=true merge=ours
pkg/workflow/js/*.js linguist-generated=true
pkg/workflow/js/*.cjs linguist-generated=true
pkg/workflow/sh/*.sh linguist-generated=true
actions/*/index.js linguist-generated=true
actions/setup/js/*.cjs linguist-generated=true

.github/workflows/*.campaign.g.md linguist-generated=true merge=ours
198 changes: 184 additions & 14 deletions .github/aw/schemas/agentic-workflow.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,41 @@
"type": "string"
}
}
}
},
"oneOf": [
{
"required": ["branches"],
"not": { "required": ["branches-ignore"] }
},
{
"required": ["branches-ignore"],
"not": { "required": ["branches"] }
},
{
"not": {
"anyOf": [{ "required": ["branches"] }, { "required": ["branches-ignore"] }]
}
}
],
"allOf": [
{
"oneOf": [
{
"required": ["paths"],
"not": { "required": ["paths-ignore"] }
},
{
"required": ["paths-ignore"],
"not": { "required": ["paths"] }
},
{
"not": {
"anyOf": [{ "required": ["paths"] }, { "required": ["paths-ignore"] }]
}
}
]
}
]
},
"pull_request": {
"description": "Pull request event trigger that runs the workflow when pull requests are created, updated, or closed",
Expand Down Expand Up @@ -374,15 +408,50 @@
"items": {
"type": "string",
"description": "Label name"
}
},
"minItems": 1
}
]
}
},
"additionalProperties": false
"additionalProperties": false,
"oneOf": [
{
"required": ["branches"],
"not": { "required": ["branches-ignore"] }
},
{
"required": ["branches-ignore"],
"not": { "required": ["branches"] }
},
{
"not": {
"anyOf": [{ "required": ["branches"] }, { "required": ["branches-ignore"] }]
}
}
],
"allOf": [
{
"oneOf": [
{
"required": ["paths"],
"not": { "required": ["paths-ignore"] }
},
{
"required": ["paths-ignore"],
"not": { "required": ["paths"] }
},
{
"not": {
"anyOf": [{ "required": ["paths"] }, { "required": ["paths-ignore"] }]
}
}
]
}
]
},
"issues": {
"description": "Issues event trigger that runs the workflow when repository issues are created, updated, or managed",
"description": "Issues event trigger that runs when repository issues are created, updated, or managed",
"type": "object",
"additionalProperties": false,
"properties": {
Expand All @@ -406,7 +475,8 @@
"items": {
"type": "string",
"description": "Label name"
}
},
"minItems": 1
}
]
},
Expand Down Expand Up @@ -577,7 +647,22 @@
"type": "string"
}
}
}
},
"oneOf": [
{
"required": ["branches"],
"not": { "required": ["branches-ignore"] }
},
{
"required": ["branches-ignore"],
"not": { "required": ["branches"] }
},
{
"not": {
"anyOf": [{ "required": ["branches"] }, { "required": ["branches-ignore"] }]
}
}
]
},
"release": {
"description": "Release event trigger",
Expand Down Expand Up @@ -886,7 +971,41 @@
]
}
},
"additionalProperties": false
"additionalProperties": false,
"oneOf": [
{
"required": ["branches"],
"not": { "required": ["branches-ignore"] }
},
{
"required": ["branches-ignore"],
"not": { "required": ["branches"] }
},
{
"not": {
"anyOf": [{ "required": ["branches"] }, { "required": ["branches-ignore"] }]
}
}
],
"allOf": [
{
"oneOf": [
{
"required": ["paths"],
"not": { "required": ["paths-ignore"] }
},
{
"required": ["paths-ignore"],
"not": { "required": ["paths"] }
},
{
"not": {
"anyOf": [{ "required": ["paths"] }, { "required": ["paths-ignore"] }]
}
}
]
}
]
},
"pull_request_review": {
"description": "Pull request review event trigger that runs when a pull request review is submitted, edited, or dismissed",
Expand Down Expand Up @@ -1728,6 +1847,7 @@
}
},
"network": {
"$comment": "Strict mode requirements: When strict=true, the 'network' field must be present (not null/undefined) and cannot contain wildcard '*' in allowed domains. This is validated in Go code (pkg/workflow/strict_mode_validation.go) via validateStrictNetwork().",
"description": "Network access control for AI engines using ecosystem identifiers and domain allowlists. Controls web fetch and search capabilities.",
"examples": [
"defaults",
Expand Down Expand Up @@ -1761,7 +1881,8 @@
"items": {
"type": "string",
"description": "Domain name or ecosystem identifier (supports wildcards like '*.example.com' and ecosystem names like 'python', 'node')"
}
},
"$comment": "Empty array is valid and means deny all network access. Omit the field entirely or use network: defaults to use default network permissions."
},
"firewall": {
"description": "AWF (Agent Workflow Firewall) configuration for network egress control. Only supported for Copilot engine.",
Expand Down Expand Up @@ -1986,12 +2107,14 @@
"properties": {
"command": {
"type": "string",
"description": "Custom command to execute the MCP gateway (mutually exclusive with 'container')"
"$comment": "Mutually exclusive with 'container' - only one execution mode can be specified.",
"description": "Custom command to execute the MCP gateway"
},
"container": {
"type": "string",
"pattern": "^[a-zA-Z0-9][a-zA-Z0-9/:_.-]*$",
"description": "Container image for the MCP gateway executable (mutually exclusive with 'command')"
"$comment": "Mutually exclusive with 'command' - only one execution mode can be specified.",
"description": "Container image for the MCP gateway executable"
},
"version": {
"type": ["string", "number"],
Expand All @@ -2010,7 +2133,8 @@
"items": {
"type": "string"
},
"description": "Arguments to add after the container image (container entrypoint arguments, only valid with 'container')"
"$comment": "Requires 'container' to be specified - entrypoint arguments only apply to container execution.",
"description": "Arguments to add after the container image (container entrypoint arguments)"
},
"env": {
"type": "object",
Expand All @@ -2034,7 +2158,35 @@
"description": "API key for authenticating with the MCP gateway (supports ${{ secrets.* }} syntax)"
}
},
"additionalProperties": false
"additionalProperties": false,
"anyOf": [
{
"required": ["command"]
},
{
"required": ["container"]
}
],
"not": {
"allOf": [
{
"required": ["command"]
},
{
"required": ["container"]
}
]
},
"allOf": [
{
"if": {
"required": ["entrypointArgs"]
},
"then": {
"required": ["container"]
}
}
]
}
},
"additionalProperties": false
Expand Down Expand Up @@ -2268,7 +2420,9 @@
"stargazers",
"users"
]
}
},
"minItems": 1,
"$comment": "At least one toolset is required when toolsets array is specified. Use null or omit the field to use all toolsets."
}
},
"additionalProperties": false,
Expand Down Expand Up @@ -3017,6 +3171,7 @@
},
"safe-outputs": {
"type": "object",
"$comment": "Strict mode dependency: When strict=true AND permissions contains write values (contents:write, issues:write, or pull-requests:write), safe-outputs must be configured. This relationship is validated in Go code (pkg/workflow/strict_mode_validation.go) via validateStrictPermissions() because it requires complex logic to check if ANY permission property equals 'write', which cannot be expressed concisely in JSON Schema.",
"description": "Safe output processing configuration that automatically creates GitHub issues, comments, and pull requests from AI workflow output without requiring write permissions in the main job",
"$comment": "Required if workflow creates or modifies GitHub resources. Operations requiring safe-outputs: add-comment, add-labels, add-reviewer, assign-milestone, assign-to-agent, close-discussion, close-issue, close-pull-request, create-agent-task, create-code-scanning-alert, create-discussion, create-issue, create-pull-request, create-pull-request-review-comment, hide-comment, link-sub-issue, missing-tool, noop, push-to-pull-request-branch, threat-detection, update-discussion, update-issue, update-project, update-pull-request, update-release, upload-asset. See documentation for complete details.",
"properties": {
Expand Down Expand Up @@ -4723,6 +4878,7 @@
"strict": {
"type": "boolean",
"default": true,
"$comment": "Strict mode enforces several security constraints that are validated in Go code (pkg/workflow/strict_mode_validation.go) rather than JSON Schema: (1) Write Permissions + Safe Outputs: When strict=true AND permissions contains write values (contents:write, issues:write, pull-requests:write), safe-outputs must be configured. This relationship is too complex for JSON Schema as it requires checking if ANY permission property has a 'write' value. (2) Network Requirements: When strict=true, the 'network' field must be present and cannot contain wildcard '*'. (3) MCP Container Network: Custom MCP servers with containers require explicit network configuration. (4) Action Pinning: Actions must be pinned to commit SHAs. These are enforced during compilation via validateStrictMode().",
"description": "Enable strict mode validation for enhanced security and compliance. Strict mode enforces: (1) Write Permissions - refuses contents:write, issues:write, pull-requests:write; requires safe-outputs instead, (2) Network Configuration - requires explicit network configuration with no wildcard '*' in allowed domains, (3) Action Pinning - enforces actions pinned to commit SHAs instead of tags/branches, (4) MCP Network - requires network configuration for custom MCP servers with containers, (5) Deprecated Fields - refuses deprecated frontmatter fields. Can be enabled per-workflow via 'strict: true' in frontmatter, or disabled via 'strict: false'. CLI flag takes precedence over frontmatter (gh aw compile --strict enforces strict mode). Defaults to true. See: https://githubnext.github.io/gh-aw/reference/frontmatter/#strict-mode-strict",
"examples": [true, false]
},
Expand Down Expand Up @@ -4982,6 +5138,16 @@
}
},
"required": ["pull_request_review_comment"]
},
{
"properties": {
"label": {
"not": {
"type": "null"
}
}
},
"required": ["label"]
}
]
}
Expand Down Expand Up @@ -5160,12 +5326,14 @@
"command": {
"type": "string",
"minLength": 1,
"$comment": "Mutually exclusive with 'container' - only one execution mode can be specified. Validated by 'not.allOf' constraint below.",
"description": "Command for stdio MCP connections"
},
"container": {
"type": "string",
"pattern": "^[a-zA-Z0-9][a-zA-Z0-9/:_.-]*$",
"description": "Container image for stdio MCP connections (alternative to command)"
"$comment": "Mutually exclusive with 'command' - only one execution mode can be specified. Validated by 'not.allOf' constraint below.",
"description": "Container image for stdio MCP connections"
},
"version": {
"type": ["string", "number"],
Expand Down Expand Up @@ -5198,6 +5366,7 @@
},
"network": {
"type": "object",
"$comment": "Requires 'container' to be specified - network configuration only applies to container-based MCP servers. Validated by 'if/then' constraint in 'allOf' below.",
"properties": {
"allowed": {
"type": "array",
Expand Down Expand Up @@ -5230,6 +5399,7 @@
}
},
"additionalProperties": false,
"$comment": "Validation constraints: (1) Mutual exclusion: 'command' and 'container' cannot both be specified. (2) Requirement: Either 'command' or 'container' must be provided (via 'anyOf'). (3) Dependency: 'network' requires 'container' (validated in 'allOf'). (4) Type constraint: When 'type' is 'stdio' or 'local', either 'command' or 'container' is required.",
"anyOf": [
{
"required": ["type"]
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agent-performance-analyzer.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/ai-moderator.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/archie.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/artifacts-summary.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/audit-workflows.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/blog-auditor.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading