From a35799661bb45e4456fbe2f2ea63021543420147 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 06:50:26 +0000 Subject: [PATCH 01/21] Initial plan From 3eca6846e225fcd0da8e5c47c4b1619bf16aef75 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 07:01:21 +0000 Subject: [PATCH 02/21] Initial plan checkpoint Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agentic-token-audit.lock.yml | 2 +- .github/workflows/agentic-token-optimizer.lock.yml | 2 +- .github/workflows/agentic-token-trend-audit.lock.yml | 2 +- .github/workflows/architecture-guardian.lock.yml | 2 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/aw-failure-investigator.lock.yml | 2 +- .github/workflows/ci-doctor.lock.yml | 2 +- .github/workflows/cli-consistency-checker.lock.yml | 2 +- .github/workflows/code-simplifier.lock.yml | 2 +- .github/workflows/contribution-check.lock.yml | 2 +- .github/workflows/copilot-centralization-drilldown.lock.yml | 2 +- .github/workflows/copilot-pr-nlp-analysis.lock.yml | 2 +- .github/workflows/daily-ambient-context-optimizer.lock.yml | 2 +- .github/workflows/daily-community-attribution.lock.yml | 2 +- .github/workflows/daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-security-observability.lock.yml | 2 +- .github/workflows/daily-spdd-spec-planner.lock.yml | 2 +- .github/workflows/dataflow-pr-discussion-dataset.lock.yml | 2 +- .github/workflows/delight.lock.yml | 2 +- .github/workflows/dependabot-burner.lock.yml | 2 +- .github/workflows/design-decision-gate.lock.yml | 2 +- .github/workflows/designer-drift-audit.lock.yml | 2 +- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/eslint-monster.lock.yml | 2 +- .github/workflows/glossary-maintainer.lock.yml | 2 +- .github/workflows/gpclean.lock.yml | 2 +- .github/workflows/impeccable-skills-reviewer.lock.yml | 2 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/lint-monster.lock.yml | 2 +- .github/workflows/linter-miner.lock.yml | 2 +- .github/workflows/mattpocock-skills-reviewer.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .github/workflows/objective-impact-report.lock.yml | 2 +- .github/workflows/pr-description-caveman.lock.yml | 2 +- .github/workflows/prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .github/workflows/repository-quality-improver.lock.yml | 2 +- .github/workflows/schema-consistency-checker.lock.yml | 2 +- .github/workflows/spec-extractor.lock.yml | 2 +- .github/workflows/stale-repo-identifier.lock.yml | 2 +- .github/workflows/static-analysis-report.lock.yml | 2 +- .github/workflows/step-name-alignment.lock.yml | 2 +- .github/workflows/test-quality-sentinel.lock.yml | 2 +- .github/workflows/uk-ai-operational-resilience.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- .github/workflows/weekly-blog-post-writer.lock.yml | 2 +- .github/workflows/workflow-health-manager.lock.yml | 4 ++-- .github/workflows/workflow-skill-extractor.lock.yml | 2 +- 48 files changed, 49 insertions(+), 49 deletions(-) diff --git a/.github/workflows/agentic-token-audit.lock.yml b/.github/workflows/agentic-token-audit.lock.yml index dfc3946ad98..de2da2d2e6a 100644 --- a/.github/workflows/agentic-token-audit.lock.yml +++ b/.github/workflows/agentic-token-audit.lock.yml @@ -525,7 +525,7 @@ jobs: - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download agentic workflow logs - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\n# Download last 24 hours of agentic workflow logs as JSON\n# Allow partial results — gh aw logs streams incrementally, so even if\n# it hits an API rate limit partway through, the JSON written so far is\n# still valid and should be processed by the agent.\nLOGS_EXIT=0\ngh aw logs \\\n --start-date -1d \\\n --json \\\n -c 100 \\\n > /tmp/gh-aw/token-audit/workflow-logs.json || LOGS_EXIT=$?\n\nif [ -s /tmp/gh-aw/token-audit/workflow-logs.json ]; then\n TOTAL=$(jq '.runs | length' /tmp/gh-aw/token-audit/workflow-logs.json)\n echo \"✅ Downloaded $TOTAL agentic workflow runs (last 24 hours)\"\n if [ \"$LOGS_EXIT\" -ne 0 ]; then\n echo \"⚠️ gh aw logs exited with code $LOGS_EXIT (partial results — likely API rate limit)\"\n fi\nelse\n echo \"❌ No log data downloaded (exit code $LOGS_EXIT)\"\n echo '{\"runs\":[],\"summary\":{}}' > /tmp/gh-aw/token-audit/workflow-logs.json\nfi\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\n# Download last 24 hours of agentic workflow logs as JSON\n# Allow partial results — gh aw logs streams incrementally, so even if\n# it hits an API rate limit partway through, the JSON written so far is\n# still valid and should be processed by the agent.\nLOGS_EXIT=0\ngh aw logs \\\n --start-date -1d \\\n --json \\\n -c 100 \\\n > /tmp/gh-aw/token-audit/workflow-logs.json || LOGS_EXIT=$?\n\nif [ -s /tmp/gh-aw/token-audit/workflow-logs.json ]; then\n TOTAL=$(jq '.runs | length' /tmp/gh-aw/token-audit/workflow-logs.json)\n echo \"✅ Downloaded $TOTAL agentic workflow runs (last 24 hours)\"\n if [ \"$LOGS_EXIT\" -ne 0 ]; then\n echo \"⚠️ gh aw logs exited with code $LOGS_EXIT (partial results — likely API rate limit)\"\n fi\nelse\n echo \"❌ No log data downloaded (exit code $LOGS_EXIT)\"\n echo '{\"runs\":[],\"summary\":{}}' > /tmp/gh-aw/token-audit/workflow-logs.json\nfi" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) diff --git a/.github/workflows/agentic-token-optimizer.lock.yml b/.github/workflows/agentic-token-optimizer.lock.yml index 248cace1314..3b6906eb720 100644 --- a/.github/workflows/agentic-token-optimizer.lock.yml +++ b/.github/workflows/agentic-token-optimizer.lock.yml @@ -483,7 +483,7 @@ jobs: - name: Aggregate top workflows by AIC usage run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\njq '{\n generated_at: (now | todateiso8601),\n window_days: 7,\n top_workflows: (\n [.runs[]\n | select(.status == \"completed\")\n | {\n workflow_name: .workflow_name,\n aic: (.aic // 0),\n raw_tokens: (.token_usage // 0),\n turns: (.turns // 0),\n action_minutes: (.action_minutes // 0)\n }\n ]\n | group_by(.workflow_name)\n | map({\n workflow_name: .[0].workflow_name,\n run_count: length,\n total_aic: (map(.aic) | add),\n avg_aic: ((map(.aic) | add) / length),\n total_raw_tokens: (map(.raw_tokens) | add),\n total_turns: (map(.turns) | add),\n total_action_minutes: (map(.action_minutes) | add)\n })\n | sort_by(.total_aic)\n | reverse\n | .[:10]\n )\n}' /tmp/gh-aw/token-audit/all-runs.json > /tmp/gh-aw/token-audit/top-workflows.json\n\necho \"✅ Generated top workflow summary at /tmp/gh-aw/token-audit/top-workflows.json\"\njq '.top_workflows' /tmp/gh-aw/token-audit/top-workflows.json\n" - name: Load optimization history - run: "set -euo pipefail\n\nOPT_LOG=\"/tmp/gh-aw/repo-memory/default/optimization-log.json\"\nif [ -f \"$OPT_LOG\" ]; then\n echo \"✅ Previous optimizations:\"\n jq -r '.[] | \"\\(.date): \\(.workflow_name)\"' \"$OPT_LOG\"\nelse\n echo \"ℹ️ No previous optimization history found.\"\nfi\n" + run: "set -euo pipefail\n\nOPT_LOG=\"/tmp/gh-aw/repo-memory/default/optimization-log.json\"\nif [ -f \"$OPT_LOG\" ]; then\n echo \"✅ Previous optimizations:\"\n jq -r '.[] | \"\\(.date): \\(.workflow_name)\"' \"$OPT_LOG\"\nelse\n echo \"ℹ️ No previous optimization history found.\"\nfi" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) diff --git a/.github/workflows/agentic-token-trend-audit.lock.yml b/.github/workflows/agentic-token-trend-audit.lock.yml index f040ef04ab9..fbf66fe3cc4 100644 --- a/.github/workflows/agentic-token-trend-audit.lock.yml +++ b/.github/workflows/agentic-token-trend-audit.lock.yml @@ -509,7 +509,7 @@ jobs: DATE_RANGE_INPUT: ${{ github.event.inputs.date_range }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download agentic workflow logs - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\nDATE_RANGE=\"$DATE_RANGE_INPUT\"\nif [[ \"$DATE_RANGE\" != *\"..\"* ]]; then\n echo \"❌ Invalid date_range input: $DATE_RANGE\"\n echo \"Expected format: .. (for example 2026-05-01..2026-05-31 or -30d..now)\"\n exit 1\nfi\n\nSTART_DATE=\"${DATE_RANGE%%..*}\"\nEND_DATE=\"${DATE_RANGE##*..}\"\n\n# Download logs for the requested range as JSON.\n# Allow partial results — gh aw logs streams incrementally, so even if\n# it hits an API rate limit partway through, the JSON written so far is\n# still valid and should be processed by the agent.\nLOGS_EXIT=0\ngh aw logs \\\n --start-date \"$START_DATE\" \\\n --end-date \"$END_DATE\" \\\n --json \\\n -c 500 \\\n > /tmp/gh-aw/token-audit/workflow-logs.json || LOGS_EXIT=$?\n\nif [ -s /tmp/gh-aw/token-audit/workflow-logs.json ]; then\n TOTAL=$(jq '.runs | length' /tmp/gh-aw/token-audit/workflow-logs.json)\n echo \"✅ Downloaded $TOTAL agentic workflow runs ($START_DATE to $END_DATE)\"\n if [ \"$LOGS_EXIT\" -ne 0 ]; then\n echo \"⚠️ gh aw logs exited with code $LOGS_EXIT (partial results — likely API rate limit)\"\n fi\nelse\n echo \"❌ No log data downloaded (exit code $LOGS_EXIT)\"\n echo '{\"runs\":[],\"summary\":{}}' > /tmp/gh-aw/token-audit/workflow-logs.json\nfi\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\nDATE_RANGE=\"$DATE_RANGE_INPUT\"\nif [[ \"$DATE_RANGE\" != *\"..\"* ]]; then\n echo \"❌ Invalid date_range input: $DATE_RANGE\"\n echo \"Expected format: .. (for example 2026-05-01..2026-05-31 or -30d..now)\"\n exit 1\nfi\n\nSTART_DATE=\"${DATE_RANGE%%..*}\"\nEND_DATE=\"${DATE_RANGE##*..}\"\n\n# Download logs for the requested range as JSON.\n# Allow partial results — gh aw logs streams incrementally, so even if\n# it hits an API rate limit partway through, the JSON written so far is\n# still valid and should be processed by the agent.\nLOGS_EXIT=0\ngh aw logs \\\n --start-date \"$START_DATE\" \\\n --end-date \"$END_DATE\" \\\n --json \\\n -c 500 \\\n > /tmp/gh-aw/token-audit/workflow-logs.json || LOGS_EXIT=$?\n\nif [ -s /tmp/gh-aw/token-audit/workflow-logs.json ]; then\n TOTAL=$(jq '.runs | length' /tmp/gh-aw/token-audit/workflow-logs.json)\n echo \"✅ Downloaded $TOTAL agentic workflow runs ($START_DATE to $END_DATE)\"\n if [ \"$LOGS_EXIT\" -ne 0 ]; then\n echo \"⚠️ gh aw logs exited with code $LOGS_EXIT (partial results — likely API rate limit)\"\n fi\nelse\n echo \"❌ No log data downloaded (exit code $LOGS_EXIT)\"\n echo '{\"runs\":[],\"summary\":{}}' > /tmp/gh-aw/token-audit/workflow-logs.json\nfi" - name: Configure Git credentials env: diff --git a/.github/workflows/architecture-guardian.lock.yml b/.github/workflows/architecture-guardian.lock.yml index ad86986d5e6..6b51ec42799 100644 --- a/.github/workflows/architecture-guardian.lock.yml +++ b/.github/workflows/architecture-guardian.lock.yml @@ -526,7 +526,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Collect architecture metrics - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\n# Read thresholds from .architecture.yml or use defaults\nFILE_LINES_BLOCKER=1000\nFILE_LINES_WARNING=500\nFUNCTION_LINES=80\nMAX_EXPORTS=10\n\nif [ -f .architecture.yml ]; then\n b=$(grep -E '^\\s*file_lines_blocker:' .architecture.yml 2>/dev/null | awk '{print $2}' | tr -d '\"' | head -1 || true)\n w=$(grep -E '^\\s*file_lines_warning:' .architecture.yml 2>/dev/null | awk '{print $2}' | tr -d '\"' | head -1 || true)\n f=$(grep -E '^\\s*function_lines:' .architecture.yml 2>/dev/null | awk '{print $2}' | tr -d '\"' | head -1 || true)\n e=$(grep -E '^\\s*max_exports:' .architecture.yml 2>/dev/null | awk '{print $2}' | tr -d '\"' | head -1 || true)\n [[ -n \"${b:-}\" && \"$b\" =~ ^[0-9]+$ ]] && FILE_LINES_BLOCKER=$b\n [[ -n \"${w:-}\" && \"$w\" =~ ^[0-9]+$ ]] && FILE_LINES_WARNING=$w\n [[ -n \"${f:-}\" && \"$f\" =~ ^[0-9]+$ ]] && FUNCTION_LINES=$f\n [[ -n \"${e:-}\" && \"$e\" =~ ^[0-9]+$ ]] && MAX_EXPORTS=$e\nfi\n\n# Get changed Go/JS files in last 24 hours, excluding tests and vendor paths\nCHANGED_FILES=$(git log --since=\"24 hours ago\" --name-only --pretty=format: \\\n | sort -u \\\n | grep -E '\\.(go|js|cjs|mjs)$' \\\n | grep -vE '(node_modules/|vendor/|\\.git/|_test\\.go$)' \\\n | while IFS= read -r f; do [ -f \"$f\" ] && echo \"$f\"; done \\\n || true)\n\nif [ -z \"$CHANGED_FILES\" ]; then\n jq -n \\\n --argjson blocker \"$FILE_LINES_BLOCKER\" \\\n --argjson warning \"$FILE_LINES_WARNING\" \\\n --argjson func_lines \"$FUNCTION_LINES\" \\\n --argjson max_exports \"$MAX_EXPORTS\" \\\n '{noop: true, thresholds: {file_lines_blocker: $blocker, file_lines_warning: $warning, function_lines: $func_lines, max_exports: $max_exports}, files: [], import_cycles: \"\"}' \\\n > /tmp/gh-aw/agent/arch-metrics.json\n echo \"No changed Go/JS files found in the last 24 hours.\"\n exit 0\nfi\n\n# Build file metrics array\nFILES_JSON=\"[]\"\nwhile IFS= read -r FILE; do\n [ -z \"$FILE\" ] && continue\n LINES=$(wc -l < \"$FILE\" 2>/dev/null | tr -d ' ' || echo 0)\n EXT=\"${FILE##*.}\"\n\n if [[ \"$EXT\" == \"go\" ]]; then\n # Function sizes: \"func declaration\\tline_count\" per function\n # Pattern matches both regular functions (^func Name) and receiver methods (^func (r *T) Name)\n FUNC_DATA=$(awk '/^func /{if(start>0 && name!=\"\") printf \"%s\\t%d\\n\", name, NR-start; name=$0; start=NR} END{if(start>0 && name!=\"\") printf \"%s\\t%d\\n\", name, NR-start+1}' \"$FILE\" 2>/dev/null | head -50 || true)\n # Export count and names (top-level exported identifiers start with uppercase)\n EXPORT_COUNT=$(grep -cE \"^func [A-Z]|^type [A-Z]|^var [A-Z]|^const [A-Z]\" \"$FILE\" 2>/dev/null || echo 0)\n EXPORT_NAMES=$(grep -nE \"^func [A-Z]|^type [A-Z]|^var [A-Z]|^const [A-Z]\" \"$FILE\" 2>/dev/null | head -20 || true)\n else\n # JS/CJS/MJS: capture named functions, arrow functions, and class methods\n FUNC_DATA=$(grep -nE \"^function |^const [a-zA-Z_$][a-zA-Z0-9_$]* = (function|\\(|async \\(|async function)|^(export (default )?function|export const [a-zA-Z_$][a-zA-Z0-9_$]* =)|^[a-zA-Z_$][a-zA-Z0-9_$]*\\s*\\([^)]*\\)\\s*\\{\" \"$FILE\" 2>/dev/null | head -50 || true)\n CJS_COUNT=$(grep -cE \"^module\\.exports|^exports\\.\" \"$FILE\" 2>/dev/null || echo 0)\n ESM_COUNT=$(grep -cE \"^export \" \"$FILE\" 2>/dev/null || echo 0)\n EXPORT_COUNT=$((CJS_COUNT + ESM_COUNT))\n EXPORT_NAMES=$(grep -nE \"^export |^module\\.exports|^exports\\.\" \"$FILE\" 2>/dev/null | head -20 || true)\n fi\n\n FILES_JSON=$(jq \\\n --arg file \"$FILE\" \\\n --argjson lines \"$LINES\" \\\n --argjson exports \"$EXPORT_COUNT\" \\\n --arg func_data \"${FUNC_DATA:-}\" \\\n --arg export_names \"${EXPORT_NAMES:-}\" \\\n '. + [{file: $file, lines: $lines, export_count: $exports, func_data: $func_data, export_names: $export_names}]' \\\n <<< \"$FILES_JSON\")\ndone <<< \"$CHANGED_FILES\"\n\n# Check Go import cycles once across all packages\n# Note: go list may also emit errors for syntax issues; grep filters to only cycle errors\nIMPORT_CYCLES=$(go list ./... 2>&1 | grep -iE \"import cycle|cycle not allowed\" || true)\n\njq -n \\\n --argjson blocker \"$FILE_LINES_BLOCKER\" \\\n --argjson warning \"$FILE_LINES_WARNING\" \\\n --argjson func_lines \"$FUNCTION_LINES\" \\\n --argjson max_exports \"$MAX_EXPORTS\" \\\n --argjson files \"$FILES_JSON\" \\\n --arg import_cycles \"$IMPORT_CYCLES\" \\\n '{noop: false, thresholds: {file_lines_blocker: $blocker, file_lines_warning: $warning, function_lines: $func_lines, max_exports: $max_exports}, files: $files, import_cycles: $import_cycles}' \\\n > /tmp/gh-aw/agent/arch-metrics.json\n\nFILE_COUNT=$(echo \"$CHANGED_FILES\" | wc -l | tr -d ' ')\necho \"✅ Pre-computed metrics for $FILE_COUNT file(s) → /tmp/gh-aw/agent/arch-metrics.json\"\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\n# Read thresholds from .architecture.yml or use defaults\nFILE_LINES_BLOCKER=1000\nFILE_LINES_WARNING=500\nFUNCTION_LINES=80\nMAX_EXPORTS=10\n\nif [ -f .architecture.yml ]; then\n b=$(grep -E '^\\s*file_lines_blocker:' .architecture.yml 2>/dev/null | awk '{print $2}' | tr -d '\"' | head -1 || true)\n w=$(grep -E '^\\s*file_lines_warning:' .architecture.yml 2>/dev/null | awk '{print $2}' | tr -d '\"' | head -1 || true)\n f=$(grep -E '^\\s*function_lines:' .architecture.yml 2>/dev/null | awk '{print $2}' | tr -d '\"' | head -1 || true)\n e=$(grep -E '^\\s*max_exports:' .architecture.yml 2>/dev/null | awk '{print $2}' | tr -d '\"' | head -1 || true)\n [[ -n \"${b:-}\" && \"$b\" =~ ^[0-9]+$ ]] && FILE_LINES_BLOCKER=$b\n [[ -n \"${w:-}\" && \"$w\" =~ ^[0-9]+$ ]] && FILE_LINES_WARNING=$w\n [[ -n \"${f:-}\" && \"$f\" =~ ^[0-9]+$ ]] && FUNCTION_LINES=$f\n [[ -n \"${e:-}\" && \"$e\" =~ ^[0-9]+$ ]] && MAX_EXPORTS=$e\nfi\n\n# Get changed Go/JS files in last 24 hours, excluding tests and vendor paths\nCHANGED_FILES=$(git log --since=\"24 hours ago\" --name-only --pretty=format: \\\n | sort -u \\\n | grep -E '\\.(go|js|cjs|mjs)$' \\\n | grep -vE '(node_modules/|vendor/|\\.git/|_test\\.go$)' \\\n | while IFS= read -r f; do [ -f \"$f\" ] && echo \"$f\"; done \\\n || true)\n\nif [ -z \"$CHANGED_FILES\" ]; then\n jq -n \\\n --argjson blocker \"$FILE_LINES_BLOCKER\" \\\n --argjson warning \"$FILE_LINES_WARNING\" \\\n --argjson func_lines \"$FUNCTION_LINES\" \\\n --argjson max_exports \"$MAX_EXPORTS\" \\\n '{noop: true, thresholds: {file_lines_blocker: $blocker, file_lines_warning: $warning, function_lines: $func_lines, max_exports: $max_exports}, files: [], import_cycles: \"\"}' \\\n > /tmp/gh-aw/agent/arch-metrics.json\n echo \"No changed Go/JS files found in the last 24 hours.\"\n exit 0\nfi\n\n# Build file metrics array\nFILES_JSON=\"[]\"\nwhile IFS= read -r FILE; do\n [ -z \"$FILE\" ] && continue\n LINES=$(wc -l < \"$FILE\" 2>/dev/null | tr -d ' ' || echo 0)\n EXT=\"${FILE##*.}\"\n\n if [[ \"$EXT\" == \"go\" ]]; then\n # Function sizes: \"func declaration\\tline_count\" per function\n # Pattern matches both regular functions (^func Name) and receiver methods (^func (r *T) Name)\n FUNC_DATA=$(awk '/^func /{if(start>0 && name!=\"\") printf \"%s\\t%d\\n\", name, NR-start; name=$0; start=NR} END{if(start>0 && name!=\"\") printf \"%s\\t%d\\n\", name, NR-start+1}' \"$FILE\" 2>/dev/null | head -50 || true)\n # Export count and names (top-level exported identifiers start with uppercase)\n EXPORT_COUNT=$(grep -cE \"^func [A-Z]|^type [A-Z]|^var [A-Z]|^const [A-Z]\" \"$FILE\" 2>/dev/null || echo 0)\n EXPORT_NAMES=$(grep -nE \"^func [A-Z]|^type [A-Z]|^var [A-Z]|^const [A-Z]\" \"$FILE\" 2>/dev/null | head -20 || true)\n else\n # JS/CJS/MJS: capture named functions, arrow functions, and class methods\n FUNC_DATA=$(grep -nE \"^function |^const [a-zA-Z_$][a-zA-Z0-9_$]* = (function|\\(|async \\(|async function)|^(export (default )?function|export const [a-zA-Z_$][a-zA-Z0-9_$]* =)|^[a-zA-Z_$][a-zA-Z0-9_$]*\\s*\\([^)]*\\)\\s*\\{\" \"$FILE\" 2>/dev/null | head -50 || true)\n CJS_COUNT=$(grep -cE \"^module\\.exports|^exports\\.\" \"$FILE\" 2>/dev/null || echo 0)\n ESM_COUNT=$(grep -cE \"^export \" \"$FILE\" 2>/dev/null || echo 0)\n EXPORT_COUNT=$((CJS_COUNT + ESM_COUNT))\n EXPORT_NAMES=$(grep -nE \"^export |^module\\.exports|^exports\\.\" \"$FILE\" 2>/dev/null | head -20 || true)\n fi\n\n FILES_JSON=$(jq \\\n --arg file \"$FILE\" \\\n --argjson lines \"$LINES\" \\\n --argjson exports \"$EXPORT_COUNT\" \\\n --arg func_data \"${FUNC_DATA:-}\" \\\n --arg export_names \"${EXPORT_NAMES:-}\" \\\n '. + [{file: $file, lines: $lines, export_count: $exports, func_data: $func_data, export_names: $export_names}]' \\\n <<< \"$FILES_JSON\")\ndone <<< \"$CHANGED_FILES\"\n\n# Check Go import cycles once across all packages\n# Note: go list may also emit errors for syntax issues; grep filters to only cycle errors\nIMPORT_CYCLES=$(go list ./... 2>&1 | grep -iE \"import cycle|cycle not allowed\" || true)\n\njq -n \\\n --argjson blocker \"$FILE_LINES_BLOCKER\" \\\n --argjson warning \"$FILE_LINES_WARNING\" \\\n --argjson func_lines \"$FUNCTION_LINES\" \\\n --argjson max_exports \"$MAX_EXPORTS\" \\\n --argjson files \"$FILES_JSON\" \\\n --arg import_cycles \"$IMPORT_CYCLES\" \\\n '{noop: false, thresholds: {file_lines_blocker: $blocker, file_lines_warning: $warning, function_lines: $func_lines, max_exports: $max_exports}, files: $files, import_cycles: $import_cycles}' \\\n > /tmp/gh-aw/agent/arch-metrics.json\n\nFILE_COUNT=$(echo \"$CHANGED_FILES\" | wc -l | tr -d ' ')\necho \"✅ Pre-computed metrics for $FILE_COUNT file(s) → /tmp/gh-aw/agent/arch-metrics.json\"" - name: Configure Git credentials env: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 69a39074b87..64ed523e7b4 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -499,7 +499,7 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh" - name: Fetch unlabeled issues - run: | + run: |- mkdir -p /tmp/gh-aw/agent gh api "repos/github/gh-aw/issues?state=open&labels=&per_page=30" \ --jq '[.[] | select(.labels | length == 0) | {number: .number, title: .title, body: .body}]' \ diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index acdf9ef612f..16c18f61439 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -556,7 +556,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Deterministic pre-fetch for failure analysis - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent/failure-investigator\npython3 - <<'PY'\nimport json\nimport os\nimport subprocess\nfrom datetime import datetime, timedelta, timezone\nfrom pathlib import Path\nfrom urllib.parse import urlencode\n\nREPO = os.environ[\"GITHUB_REPOSITORY\"]\nOUT = \"/tmp/gh-aw/agent/failure-investigator/prefetch.json\"\nTRACKER_ID = \"aw-failure-investigator\"\nLOOKBACK_HOURS = 6\nFAILURE_CONCLUSIONS = {\"failure\", \"timed_out\", \"startup_failure\", \"cancelled\"}\nMAX_DISCOVERY_PAGES = 20\n# Most dominant signatures appear in the final 30-60 lines.\nMAX_LOG_TAIL_LINES = 50\n# Deep-dive budget: investigate at most this many distinct failed runs.\nMAX_FAILURES_TO_DETAIL = 5\nAGENTIC_WORKFLOW_PATHS = {\n f\".github/workflows/{path.name}\"\n for path in Path(\".github/workflows\").glob(\"*.lock.yml\")\n}\n\ndef cmd_display(args):\n return \" \".join(args)\n\ndef run_json(args):\n try:\n out = subprocess.check_output(args, text=True, stderr=subprocess.STDOUT)\n return json.loads(out)\n except subprocess.CalledProcessError as error:\n print(f\"Warning: command failed: {cmd_display(args)}\")\n print(error.output)\n return None\n except json.JSONDecodeError as error:\n print(f\"Warning: non-JSON output from command: {cmd_display(args)} ({error})\")\n return None\n except OSError as error:\n print(f\"Warning: could not execute command: {cmd_display(args)} ({error})\")\n return None\n\ndef run_text(args):\n try:\n return subprocess.check_output(args, text=True, stderr=subprocess.STDOUT)\n except subprocess.CalledProcessError as error:\n print(f\"Warning: command failed: {cmd_display(args)}\")\n print(error.output)\n return \"\"\n except OSError as error:\n print(f\"Warning: could not execute command: {cmd_display(args)} ({error})\")\n return \"\"\n\ndef run_api_json(endpoint, params):\n query = urlencode(params)\n return run_json([\"gh\", \"api\", f\"{endpoint}?{query}\"])\n\ndef is_failure_conclusion(conclusion):\n return (conclusion or \"\").lower() in FAILURE_CONCLUSIONS\n\ndef normalize_workflow_path(path):\n return (path or \"\").split(\"@\", 1)[0]\n\ndef is_agentic_workflow_path(path):\n workflow_path = normalize_workflow_path(path)\n if AGENTIC_WORKFLOW_PATHS:\n return workflow_path in AGENTIC_WORKFLOW_PATHS\n print(\"Warning: no local .lock.yml workflows found; falling back to workflow path suffix matching\")\n return workflow_path.endswith(\".lock.yml\")\n\ndef isoformat_z(dt):\n return dt.astimezone(timezone.utc).replace(microsecond=0).isoformat().replace(\"+00:00\", \"Z\")\n\ndef list_failed_agentic_runs():\n created_since = isoformat_z(datetime.now(timezone.utc) - timedelta(hours=LOOKBACK_HOURS))\n page = 1\n failed_runs = []\n\n while True:\n response = run_api_json(\n f\"repos/{REPO}/actions/runs\",\n {\n \"exclude_pull_requests\": \"true\",\n \"status\": \"completed\",\n \"created\": f\">={created_since}\",\n \"per_page\": \"100\",\n \"page\": str(page),\n },\n ) or {}\n workflow_runs = response.get(\"workflow_runs\") or []\n if not workflow_runs:\n break\n\n for run in workflow_runs:\n workflow_path = normalize_workflow_path(run.get(\"path\"))\n if not is_agentic_workflow_path(workflow_path):\n continue\n if not is_failure_conclusion(run.get(\"conclusion\")):\n continue\n\n failed_runs.append(\n {\n \"run_id\": run.get(\"id\"),\n \"workflow_name\": run.get(\"name\"),\n \"workflow_path\": workflow_path,\n \"created_at\": run.get(\"created_at\"),\n \"status\": run.get(\"status\"),\n \"conclusion\": run.get(\"conclusion\"),\n \"url\": run.get(\"html_url\"),\n }\n )\n\n if len(workflow_runs) < 100:\n break\n if page >= MAX_DISCOVERY_PAGES:\n print(f\"Warning: reached pagination cap ({MAX_DISCOVERY_PAGES} pages) while listing workflow runs\")\n break\n page += 1\n\n failed_runs.sort(key=lambda run: run.get(\"created_at\") or \"\", reverse=True)\n return failed_runs\n\nfailed_runs = list_failed_agentic_runs()\n\n# Cap the number of runs to detail so the payload stays compact.\nfailure_details = []\nfor run in failed_runs[:MAX_FAILURES_TO_DETAIL]:\n run_id = run.get(\"run_id\")\n if not run_id:\n continue\n\n run_view = run_json(\n [\n \"gh\",\n \"run\",\n \"view\",\n str(run_id),\n \"--repo\",\n REPO,\n \"--json\",\n \"databaseId,url,name,workflowName,createdAt,conclusion,status,jobs\",\n ]\n )\n if not run_view:\n continue\n\n failed_job_names = []\n failed_steps = []\n truncated_error_logs = []\n agent_job_conclusion = None\n for job in run_view.get(\"jobs\", []):\n job_name = job.get(\"name\")\n job_conclusion = (job.get(\"conclusion\") or \"\").lower()\n if (job_name or \"\").lower() == \"agent\":\n agent_job_conclusion = job_conclusion or None\n\n if is_failure_conclusion(job_conclusion):\n if job_name:\n failed_job_names.append(job_name)\n for step in job.get(\"steps\", []):\n if is_failure_conclusion(step.get(\"conclusion\")):\n failed_steps.append(\n {\n \"job_id\": job.get(\"databaseId\"),\n \"job_name\": job_name,\n \"step_name\": step.get(\"name\"),\n }\n )\n\n job_id = job.get(\"databaseId\")\n if job_id:\n log_text = run_text(\n [\n \"gh\",\n \"run\",\n \"view\",\n str(run_id),\n \"--repo\",\n REPO,\n \"--job\",\n str(job_id),\n \"--log-failed\",\n ]\n )\n if log_text:\n tail_lines = log_text.splitlines()[-MAX_LOG_TAIL_LINES:]\n truncated_error_logs.append(\n {\n \"job_id\": job_id,\n \"job_name\": job_name,\n \"line_count\": len(tail_lines),\n \"tail_lines\": \"\\n\".join(tail_lines),\n }\n )\n\n failure_details.append(\n {\n \"run_id\": run_id,\n \"workflow_name\": run_view.get(\"workflowName\") or run_view.get(\"name\"),\n \"workflow_path\": run.get(\"workflow_path\"),\n \"url\": run_view.get(\"url\"),\n \"created_at\": run_view.get(\"createdAt\"),\n \"status\": run_view.get(\"status\"),\n \"conclusion\": run_view.get(\"conclusion\"),\n \"failed_job_names\": sorted(set(failed_job_names)),\n \"agent_job_conclusion\": agent_job_conclusion,\n \"failed_steps\": failed_steps,\n \"truncated_error_logs\": truncated_error_logs,\n }\n )\n\nexisting_tracking_issues = run_json(\n [\n \"gh\",\n \"issue\",\n \"list\",\n \"--repo\",\n REPO,\n \"--state\",\n \"open\",\n \"--search\",\n f\"gh-aw-tracker-id: {TRACKER_ID}\",\n \"--limit\",\n \"100\",\n \"--json\",\n \"number,title,state,url,labels,createdAt,updatedAt\",\n ]\n) or []\n\npayload = {\n \"generated_at\": datetime.now(timezone.utc).isoformat(),\n \"repository\": REPO,\n \"lookback_window\": f\"{LOOKBACK_HOURS}h\",\n \"failed_run_ids\": [run.get(\"run_id\") for run in failed_runs if run.get(\"run_id\")],\n \"failures\": failure_details,\n \"existing_tracking_issues\": existing_tracking_issues,\n}\n\nwith open(OUT, \"w\", encoding=\"utf-8\") as f:\n json.dump(payload, f, indent=2)\n f.write(\"\\n\")\n\nprint(f\"Wrote deterministic prefetch payload to {OUT}\")\nprint(f\"Failed runs in payload: {len(payload['failed_run_ids'])}\")\nprint(f\"Existing tracking issues in payload: {len(existing_tracking_issues)}\")\nPY\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent/failure-investigator\npython3 - <<'PY'\nimport json\nimport os\nimport subprocess\nfrom datetime import datetime, timedelta, timezone\nfrom pathlib import Path\nfrom urllib.parse import urlencode\n\nREPO = os.environ[\"GITHUB_REPOSITORY\"]\nOUT = \"/tmp/gh-aw/agent/failure-investigator/prefetch.json\"\nTRACKER_ID = \"aw-failure-investigator\"\nLOOKBACK_HOURS = 6\nFAILURE_CONCLUSIONS = {\"failure\", \"timed_out\", \"startup_failure\", \"cancelled\"}\nMAX_DISCOVERY_PAGES = 20\n# Most dominant signatures appear in the final 30-60 lines.\nMAX_LOG_TAIL_LINES = 50\n# Deep-dive budget: investigate at most this many distinct failed runs.\nMAX_FAILURES_TO_DETAIL = 5\nAGENTIC_WORKFLOW_PATHS = {\n f\".github/workflows/{path.name}\"\n for path in Path(\".github/workflows\").glob(\"*.lock.yml\")\n}\n\ndef cmd_display(args):\n return \" \".join(args)\n\ndef run_json(args):\n try:\n out = subprocess.check_output(args, text=True, stderr=subprocess.STDOUT)\n return json.loads(out)\n except subprocess.CalledProcessError as error:\n print(f\"Warning: command failed: {cmd_display(args)}\")\n print(error.output)\n return None\n except json.JSONDecodeError as error:\n print(f\"Warning: non-JSON output from command: {cmd_display(args)} ({error})\")\n return None\n except OSError as error:\n print(f\"Warning: could not execute command: {cmd_display(args)} ({error})\")\n return None\n\ndef run_text(args):\n try:\n return subprocess.check_output(args, text=True, stderr=subprocess.STDOUT)\n except subprocess.CalledProcessError as error:\n print(f\"Warning: command failed: {cmd_display(args)}\")\n print(error.output)\n return \"\"\n except OSError as error:\n print(f\"Warning: could not execute command: {cmd_display(args)} ({error})\")\n return \"\"\n\ndef run_api_json(endpoint, params):\n query = urlencode(params)\n return run_json([\"gh\", \"api\", f\"{endpoint}?{query}\"])\n\ndef is_failure_conclusion(conclusion):\n return (conclusion or \"\").lower() in FAILURE_CONCLUSIONS\n\ndef normalize_workflow_path(path):\n return (path or \"\").split(\"@\", 1)[0]\n\ndef is_agentic_workflow_path(path):\n workflow_path = normalize_workflow_path(path)\n if AGENTIC_WORKFLOW_PATHS:\n return workflow_path in AGENTIC_WORKFLOW_PATHS\n print(\"Warning: no local .lock.yml workflows found; falling back to workflow path suffix matching\")\n return workflow_path.endswith(\".lock.yml\")\n\ndef isoformat_z(dt):\n return dt.astimezone(timezone.utc).replace(microsecond=0).isoformat().replace(\"+00:00\", \"Z\")\n\ndef list_failed_agentic_runs():\n created_since = isoformat_z(datetime.now(timezone.utc) - timedelta(hours=LOOKBACK_HOURS))\n page = 1\n failed_runs = []\n\n while True:\n response = run_api_json(\n f\"repos/{REPO}/actions/runs\",\n {\n \"exclude_pull_requests\": \"true\",\n \"status\": \"completed\",\n \"created\": f\">={created_since}\",\n \"per_page\": \"100\",\n \"page\": str(page),\n },\n ) or {}\n workflow_runs = response.get(\"workflow_runs\") or []\n if not workflow_runs:\n break\n\n for run in workflow_runs:\n workflow_path = normalize_workflow_path(run.get(\"path\"))\n if not is_agentic_workflow_path(workflow_path):\n continue\n if not is_failure_conclusion(run.get(\"conclusion\")):\n continue\n\n failed_runs.append(\n {\n \"run_id\": run.get(\"id\"),\n \"workflow_name\": run.get(\"name\"),\n \"workflow_path\": workflow_path,\n \"created_at\": run.get(\"created_at\"),\n \"status\": run.get(\"status\"),\n \"conclusion\": run.get(\"conclusion\"),\n \"url\": run.get(\"html_url\"),\n }\n )\n\n if len(workflow_runs) < 100:\n break\n if page >= MAX_DISCOVERY_PAGES:\n print(f\"Warning: reached pagination cap ({MAX_DISCOVERY_PAGES} pages) while listing workflow runs\")\n break\n page += 1\n\n failed_runs.sort(key=lambda run: run.get(\"created_at\") or \"\", reverse=True)\n return failed_runs\n\nfailed_runs = list_failed_agentic_runs()\n\n# Cap the number of runs to detail so the payload stays compact.\nfailure_details = []\nfor run in failed_runs[:MAX_FAILURES_TO_DETAIL]:\n run_id = run.get(\"run_id\")\n if not run_id:\n continue\n\n run_view = run_json(\n [\n \"gh\",\n \"run\",\n \"view\",\n str(run_id),\n \"--repo\",\n REPO,\n \"--json\",\n \"databaseId,url,name,workflowName,createdAt,conclusion,status,jobs\",\n ]\n )\n if not run_view:\n continue\n\n failed_job_names = []\n failed_steps = []\n truncated_error_logs = []\n agent_job_conclusion = None\n for job in run_view.get(\"jobs\", []):\n job_name = job.get(\"name\")\n job_conclusion = (job.get(\"conclusion\") or \"\").lower()\n if (job_name or \"\").lower() == \"agent\":\n agent_job_conclusion = job_conclusion or None\n\n if is_failure_conclusion(job_conclusion):\n if job_name:\n failed_job_names.append(job_name)\n for step in job.get(\"steps\", []):\n if is_failure_conclusion(step.get(\"conclusion\")):\n failed_steps.append(\n {\n \"job_id\": job.get(\"databaseId\"),\n \"job_name\": job_name,\n \"step_name\": step.get(\"name\"),\n }\n )\n\n job_id = job.get(\"databaseId\")\n if job_id:\n log_text = run_text(\n [\n \"gh\",\n \"run\",\n \"view\",\n str(run_id),\n \"--repo\",\n REPO,\n \"--job\",\n str(job_id),\n \"--log-failed\",\n ]\n )\n if log_text:\n tail_lines = log_text.splitlines()[-MAX_LOG_TAIL_LINES:]\n truncated_error_logs.append(\n {\n \"job_id\": job_id,\n \"job_name\": job_name,\n \"line_count\": len(tail_lines),\n \"tail_lines\": \"\\n\".join(tail_lines),\n }\n )\n\n failure_details.append(\n {\n \"run_id\": run_id,\n \"workflow_name\": run_view.get(\"workflowName\") or run_view.get(\"name\"),\n \"workflow_path\": run.get(\"workflow_path\"),\n \"url\": run_view.get(\"url\"),\n \"created_at\": run_view.get(\"createdAt\"),\n \"status\": run_view.get(\"status\"),\n \"conclusion\": run_view.get(\"conclusion\"),\n \"failed_job_names\": sorted(set(failed_job_names)),\n \"agent_job_conclusion\": agent_job_conclusion,\n \"failed_steps\": failed_steps,\n \"truncated_error_logs\": truncated_error_logs,\n }\n )\n\nexisting_tracking_issues = run_json(\n [\n \"gh\",\n \"issue\",\n \"list\",\n \"--repo\",\n REPO,\n \"--state\",\n \"open\",\n \"--search\",\n f\"gh-aw-tracker-id: {TRACKER_ID}\",\n \"--limit\",\n \"100\",\n \"--json\",\n \"number,title,state,url,labels,createdAt,updatedAt\",\n ]\n) or []\n\npayload = {\n \"generated_at\": datetime.now(timezone.utc).isoformat(),\n \"repository\": REPO,\n \"lookback_window\": f\"{LOOKBACK_HOURS}h\",\n \"failed_run_ids\": [run.get(\"run_id\") for run in failed_runs if run.get(\"run_id\")],\n \"failures\": failure_details,\n \"existing_tracking_issues\": existing_tracking_issues,\n}\n\nwith open(OUT, \"w\", encoding=\"utf-8\") as f:\n json.dump(payload, f, indent=2)\n f.write(\"\\n\")\n\nprint(f\"Wrote deterministic prefetch payload to {OUT}\")\nprint(f\"Failed runs in payload: {len(payload['failed_run_ids'])}\")\nprint(f\"Existing tracking issues in payload: {len(existing_tracking_issues)}\")\nPY" # Cache configuration from frontmatter processed below - name: Failure investigator prefetch diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 3bd3507d4c3..0e5ca299442 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -587,7 +587,7 @@ jobs: REPO: ${{ github.repository }} if: github.event_name == 'pull_request' name: Fetch PR check run status - run: "set -e\nPR_DIR=\"/tmp/gh-aw/agent/ci-doctor/pr\"\nmkdir -p \"$PR_DIR\"\n\necho \"=== CI Doctor: Fetching check runs for PR #$PR_NUMBER (SHA: $HEAD_SHA) ===\"\n\n# Fetch all check runs for the PR head commit (paginated to handle >30 jobs)\ngh api --paginate \"repos/$REPO/commits/$HEAD_SHA/check-runs\" \\\n --jq '.check_runs[] | {id:.id, name:.name, status:.status, conclusion:.conclusion, html_url:.html_url}' \\\n | jq -s '.' \\\n > \"$PR_DIR/check-runs.json\"\n\nTOTAL=$(jq 'length' \"$PR_DIR/check-runs.json\")\nFAILED=$(jq '[.[] | select(.conclusion == \"failure\" or .conclusion == \"cancelled\" or .conclusion == \"timed_out\")] | length' \"$PR_DIR/check-runs.json\")\necho \"Found $TOTAL check run(s), $FAILED failing\"\n\n# Isolate the failing check runs\njq '[.[] | select(.conclusion == \"failure\" or .conclusion == \"cancelled\" or .conclusion == \"timed_out\")]' \\\n \"$PR_DIR/check-runs.json\" > \"$PR_DIR/failed-checks.json\"\n\n# Write a human-readable summary\nSUMMARY_FILE=\"$PR_DIR/summary.txt\"\n{\n echo \"=== CI Doctor PR Pre-Analysis ===\"\n echo \"PR: #$PR_NUMBER\"\n echo \"HEAD SHA: $HEAD_SHA\"\n echo \"Total check runs: $TOTAL\"\n echo \"Failing check runs: $FAILED\"\n echo \"\"\n echo \"All checks ($PR_DIR/check-runs.json):\"\n jq -r '.[] | \" \\(.conclusion // .status): \\(.name)\"' \"$PR_DIR/check-runs.json\"\n echo \"\"\n if [ \"$FAILED\" -gt 0 ]; then\n echo \"Failing checks ($PR_DIR/failed-checks.json):\"\n jq -r '.[] | \" - \\(.name) [\\(.conclusion)]: \\(.html_url)\"' \"$PR_DIR/failed-checks.json\"\n fi\n} | tee \"$SUMMARY_FILE\"\n\necho \"\"\necho \"✅ PR pre-analysis complete. Agent should start with $SUMMARY_FILE\"\n" + run: "set -e\nPR_DIR=\"/tmp/gh-aw/agent/ci-doctor/pr\"\nmkdir -p \"$PR_DIR\"\n\necho \"=== CI Doctor: Fetching check runs for PR #$PR_NUMBER (SHA: $HEAD_SHA) ===\"\n\n# Fetch all check runs for the PR head commit (paginated to handle >30 jobs)\ngh api --paginate \"repos/$REPO/commits/$HEAD_SHA/check-runs\" \\\n --jq '.check_runs[] | {id:.id, name:.name, status:.status, conclusion:.conclusion, html_url:.html_url}' \\\n | jq -s '.' \\\n > \"$PR_DIR/check-runs.json\"\n\nTOTAL=$(jq 'length' \"$PR_DIR/check-runs.json\")\nFAILED=$(jq '[.[] | select(.conclusion == \"failure\" or .conclusion == \"cancelled\" or .conclusion == \"timed_out\")] | length' \"$PR_DIR/check-runs.json\")\necho \"Found $TOTAL check run(s), $FAILED failing\"\n\n# Isolate the failing check runs\njq '[.[] | select(.conclusion == \"failure\" or .conclusion == \"cancelled\" or .conclusion == \"timed_out\")]' \\\n \"$PR_DIR/check-runs.json\" > \"$PR_DIR/failed-checks.json\"\n\n# Write a human-readable summary\nSUMMARY_FILE=\"$PR_DIR/summary.txt\"\n{\n echo \"=== CI Doctor PR Pre-Analysis ===\"\n echo \"PR: #$PR_NUMBER\"\n echo \"HEAD SHA: $HEAD_SHA\"\n echo \"Total check runs: $TOTAL\"\n echo \"Failing check runs: $FAILED\"\n echo \"\"\n echo \"All checks ($PR_DIR/check-runs.json):\"\n jq -r '.[] | \" \\(.conclusion // .status): \\(.name)\"' \"$PR_DIR/check-runs.json\"\n echo \"\"\n if [ \"$FAILED\" -gt 0 ]; then\n echo \"Failing checks ($PR_DIR/failed-checks.json):\"\n jq -r '.[] | \" - \\(.name) [\\(.conclusion)]: \\(.html_url)\"' \"$PR_DIR/failed-checks.json\"\n fi\n} | tee \"$SUMMARY_FILE\"\n\necho \"\"\necho \"✅ PR pre-analysis complete. Agent should start with $SUMMARY_FILE\"" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 930d93b1c18..08666ca4fd4 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -530,7 +530,7 @@ jobs: GH_AW_SKILL_DIR: ".github/skills" run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh" - name: Build CLI and pre-collect help output - run: "set -euo pipefail\ncd /home/runner/work/gh-aw/gh-aw\nmake build\n\noutput_dir=\"/tmp/gh-aw/agent/help-output\"\nmkdir -p \"${output_dir}\"\nextract_commands='\n /^[[:space:]]+[[:alnum:]_-]+([[:space:]]|$)/ {\n cmd=$1\n gsub(/:$/, \"\", cmd)\n if (cmd != \"\" && cmd != \"Commands\") print cmd\n }\n'\n\n./gh-aw --help > \"${output_dir}/main.txt\"\nmapfile -t top_commands < <(awk \"${extract_commands}\" \"${output_dir}/main.txt\" | sort -u)\n\nfor cmd in \"${top_commands[@]}\"; do\n if ! ./gh-aw \"$cmd\" --help > \"${output_dir}/${cmd}.txt\" 2>&1; then\n echo \"warning: failed to collect help for '${cmd}'\" >&2\n continue\n fi\n mapfile -t subcommands < <(awk \"${extract_commands}\" \"${output_dir}/${cmd}.txt\" | sort -u)\n for sub in \"${subcommands[@]}\"; do\n if ! ./gh-aw \"$cmd\" \"$sub\" --help > \"${output_dir}/${cmd}-${sub}.txt\" 2>&1; then\n echo \"warning: failed to collect help for '${cmd} ${sub}'\" >&2\n fi\n done\ndone\n\nshopt -s nullglob\nhelp_files=(\"${output_dir}\"/*.txt)\nif [ ${#help_files[@]} -eq 0 ]; then\n echo \"No help output files were generated\" >&2\n exit 1\nfi\ncat \"${help_files[@]}\" > /tmp/gh-aw/agent/all-help.txt\nwc -l /tmp/gh-aw/agent/all-help.txt | awk '{print \"Pre-collected help lines:\", $1}'\n" + run: "set -euo pipefail\ncd /home/runner/work/gh-aw/gh-aw\nmake build\n\noutput_dir=\"/tmp/gh-aw/agent/help-output\"\nmkdir -p \"${output_dir}\"\nextract_commands='\n /^[[:space:]]+[[:alnum:]_-]+([[:space:]]|$)/ {\n cmd=$1\n gsub(/:$/, \"\", cmd)\n if (cmd != \"\" && cmd != \"Commands\") print cmd\n }\n'\n\n./gh-aw --help > \"${output_dir}/main.txt\"\nmapfile -t top_commands < <(awk \"${extract_commands}\" \"${output_dir}/main.txt\" | sort -u)\n\nfor cmd in \"${top_commands[@]}\"; do\n if ! ./gh-aw \"$cmd\" --help > \"${output_dir}/${cmd}.txt\" 2>&1; then\n echo \"warning: failed to collect help for '${cmd}'\" >&2\n continue\n fi\n mapfile -t subcommands < <(awk \"${extract_commands}\" \"${output_dir}/${cmd}.txt\" | sort -u)\n for sub in \"${subcommands[@]}\"; do\n if ! ./gh-aw \"$cmd\" \"$sub\" --help > \"${output_dir}/${cmd}-${sub}.txt\" 2>&1; then\n echo \"warning: failed to collect help for '${cmd} ${sub}'\" >&2\n fi\n done\ndone\n\nshopt -s nullglob\nhelp_files=(\"${output_dir}\"/*.txt)\nif [ ${#help_files[@]} -eq 0 ]; then\n echo \"No help output files were generated\" >&2\n exit 1\nfi\ncat \"${help_files[@]}\" > /tmp/gh-aw/agent/all-help.txt\nwc -l /tmp/gh-aw/agent/all-help.txt | awk '{print \"Pre-collected help lines:\", $1}'" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index c79d3d5242a..ed42078ff2c 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -501,7 +501,7 @@ jobs: EXPR_GITHUB_REPOSITORY: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Prepare workflow history summary (deterministic) - run: "set -euo pipefail\n: \"${GH_TOKEN:?GH_TOKEN is required for gh CLI queries}\"\nmkdir -p /tmp/gh-aw/agent/code-simplifier\n\ngh api \"repos/$EXPR_GITHUB_REPOSITORY/actions/workflows/code-simplifier.lock.yml/runs?per_page=30\" \\\n > /tmp/gh-aw/agent/code-simplifier/workflow-runs.json || echo '{\"workflow_runs\":[]}' > /tmp/gh-aw/agent/code-simplifier/workflow-runs.json\n\njq '\n .workflow_runs // []\n | {\n sample_size: length,\n success_count: (map(select(.conclusion == \"success\")) | length),\n failure_count: (map(select(.conclusion == \"failure\")) | length),\n cancelled_count: (map(select(.conclusion == \"cancelled\")) | length),\n recent_failures: (map(select(.conclusion == \"failure\")) | map({id,created_at,html_url}) | .[0:5]),\n deterministic_candidates: [\n {\n name: \"recent PR and commit discovery\",\n move_to: \"steps\",\n reason: \"This data is fetched every run and can be pre-computed once in deterministic shell steps.\"\n },\n {\n name: \"changed-file filtering\",\n move_to: \"steps\",\n reason: \"Extension and test/generated-file filtering is deterministic and should not consume AI tokens.\"\n },\n {\n name: \"workflow run history aggregation\",\n move_to: \"steps\",\n reason: \"Historical run metadata can be summarized via jq before entering agent context.\"\n }\n ]\n }\n' /tmp/gh-aw/agent/code-simplifier/workflow-runs.json > /tmp/gh-aw/agent/code-simplifier/history-summary.json\n" + run: "set -euo pipefail\n: \"${GH_TOKEN:?GH_TOKEN is required for gh CLI queries}\"\nmkdir -p /tmp/gh-aw/agent/code-simplifier\n\ngh api \"repos/$EXPR_GITHUB_REPOSITORY/actions/workflows/code-simplifier.lock.yml/runs?per_page=30\" \\\n > /tmp/gh-aw/agent/code-simplifier/workflow-runs.json || echo '{\"workflow_runs\":[]}' > /tmp/gh-aw/agent/code-simplifier/workflow-runs.json\n\njq '\n .workflow_runs // []\n | {\n sample_size: length,\n success_count: (map(select(.conclusion == \"success\")) | length),\n failure_count: (map(select(.conclusion == \"failure\")) | length),\n cancelled_count: (map(select(.conclusion == \"cancelled\")) | length),\n recent_failures: (map(select(.conclusion == \"failure\")) | map({id,created_at,html_url}) | .[0:5]),\n deterministic_candidates: [\n {\n name: \"recent PR and commit discovery\",\n move_to: \"steps\",\n reason: \"This data is fetched every run and can be pre-computed once in deterministic shell steps.\"\n },\n {\n name: \"changed-file filtering\",\n move_to: \"steps\",\n reason: \"Extension and test/generated-file filtering is deterministic and should not consume AI tokens.\"\n },\n {\n name: \"workflow run history aggregation\",\n move_to: \"steps\",\n reason: \"Historical run metadata can be summarized via jq before entering agent context.\"\n }\n ]\n }\n' /tmp/gh-aw/agent/code-simplifier/workflow-runs.json > /tmp/gh-aw/agent/code-simplifier/history-summary.json" - name: Configure Git credentials env: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 0112e0d7c6c..094049c3de1 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -497,7 +497,7 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh" - name: Fetch and filter PRs - run: | + run: |- # Fetch open PRs from the target repository opened in the last 24 hours SINCE=$(date -d '24 hours ago' '+%Y-%m-%dT%H:%M:%SZ' 2>/dev/null \ || date -v-24H '+%Y-%m-%dT%H:%M:%SZ') diff --git a/.github/workflows/copilot-centralization-drilldown.lock.yml b/.github/workflows/copilot-centralization-drilldown.lock.yml index 4cb96926c59..910370bd650 100644 --- a/.github/workflows/copilot-centralization-drilldown.lock.yml +++ b/.github/workflows/copilot-centralization-drilldown.lock.yml @@ -460,7 +460,7 @@ jobs: SAMPLE_PROMPT: ${{ inputs.sample_prompt }} TARGET_KIND: ${{ inputs.target_kind }} name: Normalize candidate input - run: "set -euo pipefail\nGH_AW_SAFE_OUTPUTS=\"${GH_AW_SAFE_OUTPUTS:-${RUNNER_TEMP:-/tmp}/gh-aw/safeoutputs/outputs.jsonl}\"\nmkdir -p /tmp/gh-aw/data\n\nif [ -n \"${CANDIDATE_JSON}\" ]; then\n printf '%s' \"$CANDIDATE_JSON\" | jq '.' > /tmp/gh-aw/data/candidate-raw.json\nelse\n jq -n \\\n --arg title \"$CANDIDATE_TITLE\" \\\n --arg recommendation_kind \"$RECOMMENDATION_KIND\" \\\n --arg sample_prompt \"$SAMPLE_PROMPT\" \\\n --arg evidence_summary \"$EVIDENCE_SUMMARY\" \\\n '{\n title: $title,\n recommendation_kind: $recommendation_kind,\n sample_prompt: (if $sample_prompt == \"\" then null else $sample_prompt end),\n evidence_summary: (if $evidence_summary == \"\" then null else $evidence_summary end)\n }' > /tmp/gh-aw/data/candidate-raw.json\nfi\n\ncandidate_title=\"$(jq -r '.title // empty' /tmp/gh-aw/data/candidate-raw.json)\"\nsample_prompt=\"$(jq -r '.sample_prompt // empty' /tmp/gh-aw/data/candidate-raw.json)\"\nevidence_summary=\"$(jq -r '.evidence_summary // empty' /tmp/gh-aw/data/candidate-raw.json)\"\n\nif [ -z \"$candidate_title\" ]; then\n printf '%s\\n' '{\"type\":\"noop\",\"message\":\"No candidate title was provided for drilldown.\"}' >> \"$GH_AW_SAFE_OUTPUTS\"\n exit 0\nfi\n\nslug=\"$(printf '%s' \"$candidate_title\" \\\n | tr '[:upper:]' '[:lower:]' \\\n | sed 's/[^a-z0-9]/-/g' \\\n | sed 's/-\\{2,\\}/-/g' \\\n | sed 's/^-//' \\\n | sed 's/-$//' \\\n | cut -c1-48)\"\n\nif [ -z \"$slug\" ]; then\n slug=\"candidate\"\nfi\n\nresolved_target_kind=\"$TARGET_KIND\"\nif [ \"$resolved_target_kind\" = \"\" ] || [ \"$resolved_target_kind\" = \"auto\" ]; then\n case \"$RECOMMENDATION_KIND\" in\n continuous_workflow)\n resolved_target_kind=\"workflow\"\n ;;\n shared_prompt_or_chatops)\n resolved_target_kind=\"shared_prompt\"\n ;;\n keep_ad_hoc_but_standardize)\n resolved_target_kind=\"playbook\"\n ;;\n *)\n resolved_target_kind=\"workflow\"\n ;;\n esac\nfi\n\nsample_len=${#sample_prompt}\nevidence_len=${#evidence_summary}\ncandidate_strength=\"weak\"\nif [ \"$sample_len\" -ge 24 ] || [ \"$evidence_len\" -ge 40 ] || [ -n \"$CANDIDATE_JSON\" ]; then\n candidate_strength=\"strong\"\nfi\n\njq -n \\\n --arg title \"$candidate_title\" \\\n --arg slug \"$slug\" \\\n --arg recommendation_kind \"$RECOMMENDATION_KIND\" \\\n --arg resolved_target_kind \"$resolved_target_kind\" \\\n --arg sample_prompt \"$sample_prompt\" \\\n --arg evidence_summary \"$evidence_summary\" \\\n --arg candidate_strength \"$candidate_strength\" \\\n --slurpfile raw /tmp/gh-aw/data/candidate-raw.json '\n {\n title: $title,\n slug: $slug,\n recommendation_kind: $recommendation_kind,\n resolved_target_kind: $resolved_target_kind,\n candidate_strength: $candidate_strength,\n sample_prompt: (if $sample_prompt == \"\" then null else $sample_prompt end),\n evidence_summary: (if $evidence_summary == \"\" then null else $evidence_summary end),\n raw_candidate: $raw[0]\n }\n ' > /tmp/gh-aw/data/candidate.json\n\njq -n \\\n --arg resolved_target_kind \"$resolved_target_kind\" \\\n --arg slug \"$slug\" '\n {\n target_path: (\n if $resolved_target_kind == \"workflow\" then \".github/workflows/\" + $slug + \".md\"\n elif $resolved_target_kind == \"shared_prompt\" then \".github/workflows/shared/\" + $slug + \".md\"\n else \".github/workflows/shared/\" + $slug + \"-playbook.md\"\n end\n ),\n trigger_hint: (\n if $resolved_target_kind == \"workflow\" then \"Prefer workflow_dispatch first; choose schedule or event triggers only when repeated evidence justifies automation.\"\n elif $resolved_target_kind == \"shared_prompt\" then \"Prefer a reusable prompt or shared workflow component before full automation.\"\n else \"Keep this human-in-the-loop and produce a reusable playbook or prompt template.\"\n end\n ),\n implementation_bias: \"Prefer the smallest durable artifact that reduces repeated prompting without widening scope.\",\n report_style: \"Use issue sections with visible summary and one fenced draft block.\"\n }\n ' > /tmp/gh-aw/data/derived-plan.json\n" + run: "set -euo pipefail\nGH_AW_SAFE_OUTPUTS=\"${GH_AW_SAFE_OUTPUTS:-${RUNNER_TEMP:-/tmp}/gh-aw/safeoutputs/outputs.jsonl}\"\nmkdir -p /tmp/gh-aw/data\n\nif [ -n \"${CANDIDATE_JSON}\" ]; then\n printf '%s' \"$CANDIDATE_JSON\" | jq '.' > /tmp/gh-aw/data/candidate-raw.json\nelse\n jq -n \\\n --arg title \"$CANDIDATE_TITLE\" \\\n --arg recommendation_kind \"$RECOMMENDATION_KIND\" \\\n --arg sample_prompt \"$SAMPLE_PROMPT\" \\\n --arg evidence_summary \"$EVIDENCE_SUMMARY\" \\\n '{\n title: $title,\n recommendation_kind: $recommendation_kind,\n sample_prompt: (if $sample_prompt == \"\" then null else $sample_prompt end),\n evidence_summary: (if $evidence_summary == \"\" then null else $evidence_summary end)\n }' > /tmp/gh-aw/data/candidate-raw.json\nfi\n\ncandidate_title=\"$(jq -r '.title // empty' /tmp/gh-aw/data/candidate-raw.json)\"\nsample_prompt=\"$(jq -r '.sample_prompt // empty' /tmp/gh-aw/data/candidate-raw.json)\"\nevidence_summary=\"$(jq -r '.evidence_summary // empty' /tmp/gh-aw/data/candidate-raw.json)\"\n\nif [ -z \"$candidate_title\" ]; then\n printf '%s\\n' '{\"type\":\"noop\",\"message\":\"No candidate title was provided for drilldown.\"}' >> \"$GH_AW_SAFE_OUTPUTS\"\n exit 0\nfi\n\nslug=\"$(printf '%s' \"$candidate_title\" \\\n | tr '[:upper:]' '[:lower:]' \\\n | sed 's/[^a-z0-9]/-/g' \\\n | sed 's/-\\{2,\\}/-/g' \\\n | sed 's/^-//' \\\n | sed 's/-$//' \\\n | cut -c1-48)\"\n\nif [ -z \"$slug\" ]; then\n slug=\"candidate\"\nfi\n\nresolved_target_kind=\"$TARGET_KIND\"\nif [ \"$resolved_target_kind\" = \"\" ] || [ \"$resolved_target_kind\" = \"auto\" ]; then\n case \"$RECOMMENDATION_KIND\" in\n continuous_workflow)\n resolved_target_kind=\"workflow\"\n ;;\n shared_prompt_or_chatops)\n resolved_target_kind=\"shared_prompt\"\n ;;\n keep_ad_hoc_but_standardize)\n resolved_target_kind=\"playbook\"\n ;;\n *)\n resolved_target_kind=\"workflow\"\n ;;\n esac\nfi\n\nsample_len=${#sample_prompt}\nevidence_len=${#evidence_summary}\ncandidate_strength=\"weak\"\nif [ \"$sample_len\" -ge 24 ] || [ \"$evidence_len\" -ge 40 ] || [ -n \"$CANDIDATE_JSON\" ]; then\n candidate_strength=\"strong\"\nfi\n\njq -n \\\n --arg title \"$candidate_title\" \\\n --arg slug \"$slug\" \\\n --arg recommendation_kind \"$RECOMMENDATION_KIND\" \\\n --arg resolved_target_kind \"$resolved_target_kind\" \\\n --arg sample_prompt \"$sample_prompt\" \\\n --arg evidence_summary \"$evidence_summary\" \\\n --arg candidate_strength \"$candidate_strength\" \\\n --slurpfile raw /tmp/gh-aw/data/candidate-raw.json '\n {\n title: $title,\n slug: $slug,\n recommendation_kind: $recommendation_kind,\n resolved_target_kind: $resolved_target_kind,\n candidate_strength: $candidate_strength,\n sample_prompt: (if $sample_prompt == \"\" then null else $sample_prompt end),\n evidence_summary: (if $evidence_summary == \"\" then null else $evidence_summary end),\n raw_candidate: $raw[0]\n }\n ' > /tmp/gh-aw/data/candidate.json\n\njq -n \\\n --arg resolved_target_kind \"$resolved_target_kind\" \\\n --arg slug \"$slug\" '\n {\n target_path: (\n if $resolved_target_kind == \"workflow\" then \".github/workflows/\" + $slug + \".md\"\n elif $resolved_target_kind == \"shared_prompt\" then \".github/workflows/shared/\" + $slug + \".md\"\n else \".github/workflows/shared/\" + $slug + \"-playbook.md\"\n end\n ),\n trigger_hint: (\n if $resolved_target_kind == \"workflow\" then \"Prefer workflow_dispatch first; choose schedule or event triggers only when repeated evidence justifies automation.\"\n elif $resolved_target_kind == \"shared_prompt\" then \"Prefer a reusable prompt or shared workflow component before full automation.\"\n else \"Keep this human-in-the-loop and produce a reusable playbook or prompt template.\"\n end\n ),\n implementation_bias: \"Prefer the smallest durable artifact that reduces repeated prompting without widening scope.\",\n report_style: \"Use issue sections with visible summary and one fenced draft block.\"\n }\n ' > /tmp/gh-aw/data/derived-plan.json" - name: Configure Git credentials env: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 67ff903d5b0..947b21d9824 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -537,7 +537,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Fetch PR comments for detailed analysis - run: "# Create comments directory\nmkdir -p /tmp/gh-aw/agent/pr-comments\n\n# Fetch detailed comments for each PR from the pre-fetched data\nPR_COUNT=$(jq 'length' /tmp/gh-aw/agent/pr-data/copilot-prs.json)\necho \"Fetching comments for $PR_COUNT PRs...\"\n\njq -r '.[].number' /tmp/gh-aw/agent/pr-data/copilot-prs.json | while read -r PR_NUM; do\n echo \"Fetching comments for PR #${PR_NUM}\"\n gh pr view \"${PR_NUM}\" \\\n --json comments,reviews,reviewComments \\\n > \"/tmp/gh-aw/agent/pr-comments/pr-${PR_NUM}.json\" 2>/dev/null || echo \"{}\" > \"/tmp/gh-aw/agent/pr-comments/pr-${PR_NUM}.json\"\n sleep 0.5 # Rate limiting\ndone\n\necho \"Comment data saved to /tmp/gh-aw/agent/pr-comments/\"\n" + run: "# Create comments directory\nmkdir -p /tmp/gh-aw/agent/pr-comments\n\n# Fetch detailed comments for each PR from the pre-fetched data\nPR_COUNT=$(jq 'length' /tmp/gh-aw/agent/pr-data/copilot-prs.json)\necho \"Fetching comments for $PR_COUNT PRs...\"\n\njq -r '.[].number' /tmp/gh-aw/agent/pr-data/copilot-prs.json | while read -r PR_NUM; do\n echo \"Fetching comments for PR #${PR_NUM}\"\n gh pr view \"${PR_NUM}\" \\\n --json comments,reviews,reviewComments \\\n > \"/tmp/gh-aw/agent/pr-comments/pr-${PR_NUM}.json\" 2>/dev/null || echo \"{}\" > \"/tmp/gh-aw/agent/pr-comments/pr-${PR_NUM}.json\"\n sleep 0.5 # Rate limiting\ndone\n\necho \"Comment data saved to /tmp/gh-aw/agent/pr-comments/\"" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory diff --git a/.github/workflows/daily-ambient-context-optimizer.lock.yml b/.github/workflows/daily-ambient-context-optimizer.lock.yml index a32ef0424a2..70f2f6fa5ca 100644 --- a/.github/workflows/daily-ambient-context-optimizer.lock.yml +++ b/.github/workflows/daily-ambient-context-optimizer.lock.yml @@ -521,7 +521,7 @@ jobs: uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} - script: "const fs = require('fs');\n\nconst { owner, repo } = context.repo;\nconst OPTIMIZER_PATTERNS = [\n 'copilot/ambient-context',\n 'copilot/daily-ambient-context',\n 'ambient-context-optim',\n];\n\nconst cutoff7d = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000);\n\nconst allPrs = await github.paginate(github.rest.pulls.list, {\n owner, repo, state: 'all', per_page: 100,\n});\n\nconst optPrs7d = allPrs.filter((pr) => {\n const branch = pr.head?.ref || '';\n return (\n OPTIMIZER_PATTERNS.some((p) => branch.includes(p)) &&\n new Date(pr.created_at) >= cutoff7d\n );\n});\n\nconst merged7d = optPrs7d.filter((pr) => pr.merged_at);\nconst closed7d = optPrs7d.filter((pr) => !pr.merged_at && pr.closed_at);\nconst totalSettled = merged7d.length + closed7d.length;\n\n// close_rate is null when sample < 3 to avoid misleading zero reads\nconst closeRate = totalSettled >= 3 ? closed7d.length / totalSettled : null;\nconst autoPause = closeRate !== null && closeRate >= 0.30;\n\nconst rateData = {\n merged_7d: merged7d.length,\n closed_7d: closed7d.length,\n total_settled_7d: totalSettled,\n close_rate: closeRate !== null ? Math.round(closeRate * 1000) / 1000 : null,\n auto_pause: autoPause,\n note: 'close_rate is null when total_settled_7d < 3 (insufficient data for auto-pause)',\n};\n\nfs.writeFileSync('/tmp/gh-aw/ambient-context/pr-close-rate.json', JSON.stringify(rateData, null, 2));\n\nconst rateStr = closeRate !== null ? `${Math.round(closeRate * 100)}%` : 'N/A (< 3 settled PRs)';\ncore.info(`PR close-rate (7d): ${rateStr} (${closed7d.length} closed, ${merged7d.length} merged)${autoPause ? ' — AUTO-PAUSE ACTIVE' : ''}`);\n" + script: "const fs = require('fs');\n\nconst { owner, repo } = context.repo;\nconst OPTIMIZER_PATTERNS = [\n 'copilot/ambient-context',\n 'copilot/daily-ambient-context',\n 'ambient-context-optim',\n];\n\nconst cutoff7d = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000);\n\nconst allPrs = await github.paginate(github.rest.pulls.list, {\n owner, repo, state: 'all', per_page: 100,\n});\n\nconst optPrs7d = allPrs.filter((pr) => {\n const branch = pr.head?.ref || '';\n return (\n OPTIMIZER_PATTERNS.some((p) => branch.includes(p)) &&\n new Date(pr.created_at) >= cutoff7d\n );\n});\n\nconst merged7d = optPrs7d.filter((pr) => pr.merged_at);\nconst closed7d = optPrs7d.filter((pr) => !pr.merged_at && pr.closed_at);\nconst totalSettled = merged7d.length + closed7d.length;\n\n// close_rate is null when sample < 3 to avoid misleading zero reads\nconst closeRate = totalSettled >= 3 ? closed7d.length / totalSettled : null;\nconst autoPause = closeRate !== null && closeRate >= 0.30;\n\nconst rateData = {\n merged_7d: merged7d.length,\n closed_7d: closed7d.length,\n total_settled_7d: totalSettled,\n close_rate: closeRate !== null ? Math.round(closeRate * 1000) / 1000 : null,\n auto_pause: autoPause,\n note: 'close_rate is null when total_settled_7d < 3 (insufficient data for auto-pause)',\n};\n\nfs.writeFileSync('/tmp/gh-aw/ambient-context/pr-close-rate.json', JSON.stringify(rateData, null, 2));\n\nconst rateStr = closeRate !== null ? `${Math.round(closeRate * 100)}%` : 'N/A (< 3 settled PRs)';\ncore.info(`PR close-rate (7d): ${rateStr} (${closed7d.length} closed, ${merged7d.length} merged)${autoPause ? ' — AUTO-PAUSE ACTIVE' : ''}`);" - name: Configure Git credentials env: diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index a840bc33df7..a9a473a9f14 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -546,7 +546,7 @@ jobs: name: Compute deterministic attributions (Tier 0, 1, 2) run: "# Tier 0: COMPLETED issues (direct contributions, no PR needed)\njq '[.[] | select(.stateReason == \"COMPLETED\") |\n . + {tier: 0, attribution_type: \"direct issue\", closing_prs: []}]' \\\n /tmp/gh-aw/agent/community-data/community_issues.json \\\n > /tmp/gh-aw/agent/community-data/tier0_attributed.json\n\nT0=$(jq length /tmp/gh-aw/agent/community-data/tier0_attributed.json)\necho \"Tier 0 (direct issue — COMPLETED): $T0\"\n\n# Tier 1: native GitHub close references (exclude Tier 0 issues)\njq --slurpfile issues /tmp/gh-aw/agent/community-data/community_issues.json \\\n --slurpfile t0 /tmp/gh-aw/agent/community-data/tier0_attributed.json '\n ($t0[0] | map(.number) | map(tostring)) as $t0_keys |\n ($issues[0] | map(.number | tostring)) as $issue_keys |\n to_entries |\n map(select(\n .key as $k |\n ($issue_keys | index($k) != null) and\n ($t0_keys | index($k) == null)\n )) |\n map(.key as $k | .value as $prs |\n ($issues[0] | map(select(.number | tostring == $k))[0]) +\n {tier: 1, attribution_type: \"resolved by PR\", closing_prs: $prs}\n )\n' /tmp/gh-aw/agent/community-data/closing_refs_by_issue.json \\\n > /tmp/gh-aw/agent/community-data/tier1_attributed.json 2>/dev/null \\\n || echo \"[]\" > /tmp/gh-aw/agent/community-data/tier1_attributed.json\n\nT1=$(jq length /tmp/gh-aw/agent/community-data/tier1_attributed.json)\necho \"Tier 1 (native close refs): $T1\"\n\n# Tier 2: PR body keyword matching (exclude Tier 0 and Tier 1 issues)\nKW_ISSUES=$(jq -r '.[].body // \"\"' /tmp/gh-aw/agent/community-data/pull_requests.json \\\n | grep -oP '(?i)(?:close[sd]?|fix(?:e[sd])?|resolve[sd]?)\\s*(?:github/gh-aw#|#)\\K[0-9]+' 2>/dev/null \\\n | sort -u | jq -R 'tonumber' | jq -s 'sort | unique' 2>/dev/null \\\n || echo \"[]\")\n\njq --argjson kw \"$KW_ISSUES\" \\\n --slurpfile t0 /tmp/gh-aw/agent/community-data/tier0_attributed.json \\\n --slurpfile t1 /tmp/gh-aw/agent/community-data/tier1_attributed.json '\n ($t0[0] | map(.number)) as $t0_nums |\n ($t1[0] | map(.number)) as $t1_nums |\n [.[] |\n select(\n .number as $n |\n ($kw | index($n) != null) and\n ($t0_nums | index($n) == null) and\n ($t1_nums | index($n) == null)\n ) |\n . + {tier: 2, attribution_type: \"resolved by PR\", closing_prs: []}\n ]\n' /tmp/gh-aw/agent/community-data/community_issues.json \\\n > /tmp/gh-aw/agent/community-data/tier2_attributed.json 2>/dev/null \\\n || echo \"[]\" > /tmp/gh-aw/agent/community-data/tier2_attributed.json\n\nT2=$(jq length /tmp/gh-aw/agent/community-data/tier2_attributed.json)\necho \"Tier 2 (PR body keywords): $T2\"\n\n# Combine Tier 0 + 1 + 2 into pre_attributed.json\njq -n \\\n --slurpfile t0 /tmp/gh-aw/agent/community-data/tier0_attributed.json \\\n --slurpfile t1 /tmp/gh-aw/agent/community-data/tier1_attributed.json \\\n --slurpfile t2 /tmp/gh-aw/agent/community-data/tier2_attributed.json \\\n '$t0[0] + $t1[0] + $t2[0]' \\\n > /tmp/gh-aw/agent/community-data/pre_attributed.json\n\nTOTAL=$(jq length /tmp/gh-aw/agent/community-data/pre_attributed.json)\necho \"\"\necho \"Pre-attributed: $TOTAL issues (Tier 0: $T0, Tier 1: $T1, Tier 2: $T2)\"\n\n# Compute Tier 3+ candidates (closed in window, not yet pre-attributed)\njq --slurpfile pre /tmp/gh-aw/agent/community-data/pre_attributed.json '\n ($pre[0] | map(.number)) as $attributed |\n [.[] | select(.number as $n | $attributed | index($n) == null)]\n' /tmp/gh-aw/agent/community-data/community_issues_closed_in_window.json \\\n > /tmp/gh-aw/agent/community-data/tier3_candidates.json 2>/dev/null \\\n || echo \"[]\" > /tmp/gh-aw/agent/community-data/tier3_candidates.json\n\nT3=$(jq length /tmp/gh-aw/agent/community-data/tier3_candidates.json)\necho \"Tier 3+ candidates (agent lookup needed): $T3\"\n\n# Cap Tier 3 to 5 per run — prevents runaway API call loops when there are\n# many unlinked issues. Remaining candidates will be processed in future runs.\njq '.[0:5]' /tmp/gh-aw/agent/community-data/tier3_candidates.json \\\n > /tmp/gh-aw/agent/community-data/tier3_candidates_capped.json\nT3_CAPPED=$(jq length /tmp/gh-aw/agent/community-data/tier3_candidates_capped.json)\nif [ \"$T3_CAPPED\" -lt \"$T3\" ]; then\n echo \"⚠ Capped Tier 3 lookups: processing $T3_CAPPED of $T3 candidates this run\"\nfi\necho \"\"\necho \"Data available in /tmp/gh-aw/agent/community-data/:\"\necho \" pre_attributed.json — Tier 0+1+2 confirmed attributions\"\necho \" tier3_candidates_capped.json — up to 5 issues needing Tier 3 agent lookup (this run)\"\necho \" tier3_candidates.json — full list of Tier 3+ candidates (for reference)\"\n" - name: Format attribution data for agent - run: "DATA_DIR=/tmp/gh-aw/agent/community-data\n\n# Group Tier 0-2 attributions by author for agent-ready consumption.\n# Produces a structured JSON the agent can read with `cat` — no jq needed.\njq '\n group_by(.author.login) |\n sort_by(.[0].author.login | ascii_downcase) |\n map({\n author: .[0].author.login,\n count: length,\n issues: (sort_by(-.number))\n })\n' \"$DATA_DIR/pre_attributed.json\" \\\n > \"$DATA_DIR/attribution_by_author.json\" 2>/dev/null \\\n || echo \"[]\" > \"$DATA_DIR/attribution_by_author.json\"\n\nAUTHOR_COUNT=$(jq length \"$DATA_DIR/attribution_by_author.json\")\nISSUE_COUNT=$(jq length \"$DATA_DIR/pre_attributed.json\")\necho \"✓ Grouped: $AUTHOR_COUNT authors, $ISSUE_COUNT issues\"\n\n# Generate the pre-formatted README community section (Tier 0-2 only).\n# The agent reads this file directly, appends Tier 3 results, and inserts\n# the result into README.md — no bash data-processing required.\n{\n REPO_URL=\"https://github.com/${GITHUB_REPOSITORY:-github/gh-aw}\"\n SEARCH_BASE=\"${REPO_URL}/issues?q=is%3Aissue+is%3Aclosed+label%3Acommunity+author%3A\"\n echo \"## 🌍 Community Contributions\"\n echo \"\"\n echo \"Community members whose issues were resolved — updated automatically.\"\n echo \"\"\n jq -r --arg base \"$SEARCH_BASE\" '\n .[] |\n \"[@\\(.author) (\\(.count))](\\($base + .author))\"\n ' \"$DATA_DIR/attribution_by_author.json\"\n echo \"\"\n} > \"$DATA_DIR/readme_community_section_tier012.md\"\n\necho \"✓ Generated readme_community_section_tier012.md\"\necho \"\"\necho \"Data available in $DATA_DIR/:\"\necho \" attribution_by_author.json — Tier 0-2 issues grouped by author (agent-ready)\"\necho \" readme_community_section_tier012.md — pre-formatted README section (Tier 0-2 only)\"\n" + run: "DATA_DIR=/tmp/gh-aw/agent/community-data\n\n# Group Tier 0-2 attributions by author for agent-ready consumption.\n# Produces a structured JSON the agent can read with `cat` — no jq needed.\njq '\n group_by(.author.login) |\n sort_by(.[0].author.login | ascii_downcase) |\n map({\n author: .[0].author.login,\n count: length,\n issues: (sort_by(-.number))\n })\n' \"$DATA_DIR/pre_attributed.json\" \\\n > \"$DATA_DIR/attribution_by_author.json\" 2>/dev/null \\\n || echo \"[]\" > \"$DATA_DIR/attribution_by_author.json\"\n\nAUTHOR_COUNT=$(jq length \"$DATA_DIR/attribution_by_author.json\")\nISSUE_COUNT=$(jq length \"$DATA_DIR/pre_attributed.json\")\necho \"✓ Grouped: $AUTHOR_COUNT authors, $ISSUE_COUNT issues\"\n\n# Generate the pre-formatted README community section (Tier 0-2 only).\n# The agent reads this file directly, appends Tier 3 results, and inserts\n# the result into README.md — no bash data-processing required.\n{\n REPO_URL=\"https://github.com/${GITHUB_REPOSITORY:-github/gh-aw}\"\n SEARCH_BASE=\"${REPO_URL}/issues?q=is%3Aissue+is%3Aclosed+label%3Acommunity+author%3A\"\n echo \"## 🌍 Community Contributions\"\n echo \"\"\n echo \"Community members whose issues were resolved — updated automatically.\"\n echo \"\"\n jq -r --arg base \"$SEARCH_BASE\" '\n .[] |\n \"[@\\(.author) (\\(.count))](\\($base + .author))\"\n ' \"$DATA_DIR/attribution_by_author.json\"\n echo \"\"\n} > \"$DATA_DIR/readme_community_section_tier012.md\"\n\necho \"✓ Generated readme_community_section_tier012.md\"\necho \"\"\necho \"Data available in $DATA_DIR/:\"\necho \" attribution_by_author.json — Tier 0-2 issues grouped by author (agent-ready)\"\necho \" readme_community_section_tier012.md — pre-formatted README section (Tier 0-2 only)\"" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone wiki-memory branch (default) diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index eca14f3a017..16cc64a7a7c 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -576,7 +576,7 @@ jobs: - env: EXPR_GITHUB_RUN_ID: ${{ github.run_id }} name: Wait for server readiness - run: "PID_FILE=\"/tmp/gh-aw/agent/docs-server-$EXPR_GITHUB_RUN_ID.pid\"\nLOG_FILE=\"/tmp/gh-aw/agent/docs-server-$EXPR_GITHUB_RUN_ID.log\"\nMAX_WAIT=135 # Maximum 135 seconds wait time\nWAITED=0\nuntil curl -sf http://localhost:4321/gh-aw/ > /dev/null 2>&1; do\n # Check if the server process has already died\n if [ -f \"$PID_FILE\" ] && ! kill -0 \"$(cat \"$PID_FILE\")\" 2>/dev/null; then\n echo \"::error::Documentation server process died before becoming ready. Server log:\"\n cat \"$LOG_FILE\"\n exit 1\n fi\n WAITED=$((WAITED + 3))\n if [ $WAITED -ge $MAX_WAIT ]; then\n echo \"::error::Documentation server did not start after ${MAX_WAIT}s. Server log:\"\n cat \"$LOG_FILE\"\n exit 1\n fi\n echo \"Waiting for server... ($WAITED/${MAX_WAIT}s)\"\n sleep 3\ndone\necho \"Server ready at http://localhost:4321/gh-aw/!\"\n" + run: "PID_FILE=\"/tmp/gh-aw/agent/docs-server-$EXPR_GITHUB_RUN_ID.pid\"\nLOG_FILE=\"/tmp/gh-aw/agent/docs-server-$EXPR_GITHUB_RUN_ID.log\"\nMAX_WAIT=135 # Maximum 135 seconds wait time\nWAITED=0\nuntil curl -sf http://localhost:4321/gh-aw/ > /dev/null 2>&1; do\n # Check if the server process has already died\n if [ -f \"$PID_FILE\" ] && ! kill -0 \"$(cat \"$PID_FILE\")\" 2>/dev/null; then\n echo \"::error::Documentation server process died before becoming ready. Server log:\"\n cat \"$LOG_FILE\"\n exit 1\n fi\n WAITED=$((WAITED + 3))\n if [ $WAITED -ge $MAX_WAIT ]; then\n echo \"::error::Documentation server did not start after ${MAX_WAIT}s. Server log:\"\n cat \"$LOG_FILE\"\n exit 1\n fi\n echo \"Waiting for server... ($WAITED/${MAX_WAIT}s)\"\n sleep 3\ndone\necho \"Server ready at http://localhost:4321/gh-aw/!\"" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index 384569f9a99..f7b2d9430ff 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -578,7 +578,7 @@ jobs: - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download integrity-filtered logs - run: "mkdir -p /tmp/gh-aw/agent/integrity\nmkdir -p /tmp/gh-aw/cache-memory/security-observability\n\nCACHE_FILE=/tmp/gh-aw/cache-memory/security-observability/filtered-logs.snapshot.json\nRUN_FILE=/tmp/gh-aw/agent/integrity/filtered-logs.json\nFRESH_LOGS=/tmp/gh-aw/agent/integrity/filtered-logs.fresh.json\nEMPTY_DATA='{\"runs\":[],\"summary\":{\"total_runs\":0}}'\nNOW_EPOCH=$(date +%s)\nMAX_CACHE_AGE_SECONDS=$((7 * 24 * 60 * 60))\n\n# Warm start from cached 7-day snapshot when available and fresh.\nif [ -f \"$CACHE_FILE\" ] && jq -e '.runs and .updated_at' \"$CACHE_FILE\" > /dev/null 2>&1; then\n cache_updated_at=$(jq -r '.updated_at' \"$CACHE_FILE\")\n cache_updated_epoch=$(\n date -d \"$cache_updated_at\" +%s 2>/dev/null \\\n || date -j -f \"%Y-%m-%dT%H:%M:%SZ\" \"$cache_updated_at\" +%s 2>/dev/null \\\n || echo 0\n )\n cache_age_seconds=$((NOW_EPOCH - cache_updated_epoch))\n if [ \"$cache_updated_epoch\" -gt 0 ] && [ \"$cache_age_seconds\" -le \"$MAX_CACHE_AGE_SECONDS\" ]; then\n jq '{runs: (.runs // []), summary: (.summary // {\"total_runs\": 0})}' \"$CACHE_FILE\" > \"$RUN_FILE\"\n echo \"✅ Warm cache restored (${cache_age_seconds}s old)\"\n else\n echo \"⚠️ Cache snapshot is stale (${cache_age_seconds}s old); starting fresh\"\n fi\nfi\n\n# Download logs filtered to only runs with DIFC integrity-filtered events.\n# --artifacts mcp: only download the MCP gateway log artifact (sufficient for DIFC checking).\n# --timeout 8: cap execution at 8 minutes to prevent runaway downloads.\ngh aw logs --filtered-integrity --start-date -7d --json -c 200 \\\n --artifacts mcp --timeout 8 \\\n > \"$FRESH_LOGS\" || true\n\n# Validate JSON output and fall back to an empty dataset on failure\nif ! jq -e '.runs' \"$FRESH_LOGS\" > /dev/null 2>&1; then\n echo \"⚠️ No valid logs produced; continuing with empty dataset\"\n echo \"$EMPTY_DATA\" > \"$FRESH_LOGS\"\nfi\n\n# Merge warm-start and fresh runs; fresh entries override warm-cache entries with the same run_id.\nif [ -f \"$RUN_FILE\" ] && jq -e '.runs' \"$RUN_FILE\" > /dev/null 2>&1; then\n jq -s '\n {\n runs: (\n ((.[0].runs // []) + (.[1].runs // []))\n | sort_by(.run_id)\n | group_by(.run_id)\n | map(.[-1])\n ),\n summary: {\n total_runs: (\n ((.[0].runs // []) + (.[1].runs // []) | sort_by(.run_id) | group_by(.run_id) | length)\n )\n }\n }\n ' \"$RUN_FILE\" \"$FRESH_LOGS\" > \"$RUN_FILE.merged\"\n mv \"$RUN_FILE.merged\" \"$RUN_FILE\"\nelse\n mv \"$FRESH_LOGS\" \"$RUN_FILE\"\nfi\n\ncount=$(jq '.runs | length' \"$RUN_FILE\" 2>/dev/null || echo 0)\necho \"✅ Downloaded $count runs with integrity-filtered events\"\n\n# Persist updated 7-day snapshot back to cache-memory every run.\njq -n \\\n --arg updated_at \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" \\\n --slurpfile payload \"$RUN_FILE\" \\\n '{\n updated_at: $updated_at,\n runs: ($payload[0].runs // []),\n summary: {\n total_runs: (($payload[0].runs // []) | length)\n }\n }' > \"$CACHE_FILE\"\n" + run: "mkdir -p /tmp/gh-aw/agent/integrity\nmkdir -p /tmp/gh-aw/cache-memory/security-observability\n\nCACHE_FILE=/tmp/gh-aw/cache-memory/security-observability/filtered-logs.snapshot.json\nRUN_FILE=/tmp/gh-aw/agent/integrity/filtered-logs.json\nFRESH_LOGS=/tmp/gh-aw/agent/integrity/filtered-logs.fresh.json\nEMPTY_DATA='{\"runs\":[],\"summary\":{\"total_runs\":0}}'\nNOW_EPOCH=$(date +%s)\nMAX_CACHE_AGE_SECONDS=$((7 * 24 * 60 * 60))\n\n# Warm start from cached 7-day snapshot when available and fresh.\nif [ -f \"$CACHE_FILE\" ] && jq -e '.runs and .updated_at' \"$CACHE_FILE\" > /dev/null 2>&1; then\n cache_updated_at=$(jq -r '.updated_at' \"$CACHE_FILE\")\n cache_updated_epoch=$(\n date -d \"$cache_updated_at\" +%s 2>/dev/null \\\n || date -j -f \"%Y-%m-%dT%H:%M:%SZ\" \"$cache_updated_at\" +%s 2>/dev/null \\\n || echo 0\n )\n cache_age_seconds=$((NOW_EPOCH - cache_updated_epoch))\n if [ \"$cache_updated_epoch\" -gt 0 ] && [ \"$cache_age_seconds\" -le \"$MAX_CACHE_AGE_SECONDS\" ]; then\n jq '{runs: (.runs // []), summary: (.summary // {\"total_runs\": 0})}' \"$CACHE_FILE\" > \"$RUN_FILE\"\n echo \"✅ Warm cache restored (${cache_age_seconds}s old)\"\n else\n echo \"⚠️ Cache snapshot is stale (${cache_age_seconds}s old); starting fresh\"\n fi\nfi\n\n# Download logs filtered to only runs with DIFC integrity-filtered events.\n# --artifacts mcp: only download the MCP gateway log artifact (sufficient for DIFC checking).\n# --timeout 8: cap execution at 8 minutes to prevent runaway downloads.\ngh aw logs --filtered-integrity --start-date -7d --json -c 200 \\\n --artifacts mcp --timeout 8 \\\n > \"$FRESH_LOGS\" || true\n\n# Validate JSON output and fall back to an empty dataset on failure\nif ! jq -e '.runs' \"$FRESH_LOGS\" > /dev/null 2>&1; then\n echo \"⚠️ No valid logs produced; continuing with empty dataset\"\n echo \"$EMPTY_DATA\" > \"$FRESH_LOGS\"\nfi\n\n# Merge warm-start and fresh runs; fresh entries override warm-cache entries with the same run_id.\nif [ -f \"$RUN_FILE\" ] && jq -e '.runs' \"$RUN_FILE\" > /dev/null 2>&1; then\n jq -s '\n {\n runs: (\n ((.[0].runs // []) + (.[1].runs // []))\n | sort_by(.run_id)\n | group_by(.run_id)\n | map(.[-1])\n ),\n summary: {\n total_runs: (\n ((.[0].runs // []) + (.[1].runs // []) | sort_by(.run_id) | group_by(.run_id) | length)\n )\n }\n }\n ' \"$RUN_FILE\" \"$FRESH_LOGS\" > \"$RUN_FILE.merged\"\n mv \"$RUN_FILE.merged\" \"$RUN_FILE\"\nelse\n mv \"$FRESH_LOGS\" \"$RUN_FILE\"\nfi\n\ncount=$(jq '.runs | length' \"$RUN_FILE\" 2>/dev/null || echo 0)\necho \"✅ Downloaded $count runs with integrity-filtered events\"\n\n# Persist updated 7-day snapshot back to cache-memory every run.\njq -n \\\n --arg updated_at \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" \\\n --slurpfile payload \"$RUN_FILE\" \\\n '{\n updated_at: $updated_at,\n runs: ($payload[0].runs // []),\n summary: {\n total_runs: (($payload[0].runs // []) | length)\n }\n }' > \"$CACHE_FILE\"" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory diff --git a/.github/workflows/daily-spdd-spec-planner.lock.yml b/.github/workflows/daily-spdd-spec-planner.lock.yml index c30b8925fa7..df68af6c566 100644 --- a/.github/workflows/daily-spdd-spec-planner.lock.yml +++ b/.github/workflows/daily-spdd-spec-planner.lock.yml @@ -482,7 +482,7 @@ jobs: - env: GH_TOKEN: ${{ github.token }} name: Copy OpenSPDD prompts - run: "set -euo pipefail\n# Resolve the latest OpenSPDD main ref each run via authenticated GitHub API.\n# This intentionally tracks upstream prompt updates while avoiding unauthenticated rate limits.\nOPENSPDD_REF=\"$(gh api repos/gszhangwei/open-spdd/commits/main --jq .sha)\"\ntest -n \"${OPENSPDD_REF}\" || { echo \"::error::Failed to resolve OpenSPDD main ref\"; exit 1; }\nPROMPTS_DIR=\"${GITHUB_WORKSPACE}/.github/copilot-prompts\"\nmkdir -p \"${PROMPTS_DIR}\"\nfor PROMPT in spdd-analysis spdd-reasons-canvas spdd-generate spdd-sync; do\n gh api \\\n -H \"Accept: application/vnd.github.raw\" \\\n \"repos/gszhangwei/open-spdd/contents/.cursor/commands/${PROMPT}.md?ref=${OPENSPDD_REF}\" \\\n > \"${PROMPTS_DIR}/${PROMPT}.md\"\n test -s \"${PROMPTS_DIR}/${PROMPT}.md\" || { echo \"::error::Failed to download ${PROMPT}.md\"; exit 1; }\ndone\n" + run: "set -euo pipefail\n# Resolve the latest OpenSPDD main ref each run via authenticated GitHub API.\n# This intentionally tracks upstream prompt updates while avoiding unauthenticated rate limits.\nOPENSPDD_REF=\"$(gh api repos/gszhangwei/open-spdd/commits/main --jq .sha)\"\ntest -n \"${OPENSPDD_REF}\" || { echo \"::error::Failed to resolve OpenSPDD main ref\"; exit 1; }\nPROMPTS_DIR=\"${GITHUB_WORKSPACE}/.github/copilot-prompts\"\nmkdir -p \"${PROMPTS_DIR}\"\nfor PROMPT in spdd-analysis spdd-reasons-canvas spdd-generate spdd-sync; do\n gh api \\\n -H \"Accept: application/vnd.github.raw\" \\\n \"repos/gszhangwei/open-spdd/contents/.cursor/commands/${PROMPT}.md?ref=${OPENSPDD_REF}\" \\\n > \"${PROMPTS_DIR}/${PROMPT}.md\"\n test -s \"${PROMPTS_DIR}/${PROMPT}.md\" || { echo \"::error::Failed to download ${PROMPT}.md\"; exit 1; }\ndone" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory diff --git a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml index abc815c7377..44b80660eb5 100644 --- a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml +++ b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml @@ -738,7 +738,7 @@ jobs: GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql NODE_EXTRA_CA_CERTS: /tmp/gh-aw/proxy-logs/proxy-tls/ca.crt - name: Fetch merged PRs - run: | + run: |- bash "${RUNNER_TEMP}/gh-aw/actions/install_gh_cli.sh" # Fetch up to 500 merged PRs — title, body, metadata diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 307ba303ca6..aa8848c86aa 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -555,7 +555,7 @@ jobs: GH_AW_SKILL_DIR: ".github/skills" run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh" - name: Sample files and load memory - run: "mkdir -p /tmp/gh-aw/agent\n# Sample documentation files (eliminates agent exploratory find turns)\nfind docs/src/content/docs \\( -name '*.md' -o -name '*.mdx' \\) | shuf -n 2 > /tmp/gh-aw/agent/doc-samples.txt\n# Sample workflows with messages (pre-compute instead of agent grep)\ngrep -rl \"messages:\" .github/workflows/ --include=\"*.md\" | shuf -n 2 > /tmp/gh-aw/agent/workflow-samples.txt\n# Sample validation files\nfind pkg -name '*validation*.go' | shuf -n 1 > /tmp/gh-aw/agent/validation-sample.txt || echo \"No validation files found\" > /tmp/gh-aw/agent/validation-sample.txt\n# Load historical memory (eliminates agent memory-read turns)\ncat memory/delight/previous-findings.json 2>/dev/null > /tmp/gh-aw/agent/previous-findings.json || echo \"[]\" > /tmp/gh-aw/agent/previous-findings.json\ncat memory/delight/improvement-themes.json 2>/dev/null > /tmp/gh-aw/agent/improvement-themes.json || echo \"[]\" > /tmp/gh-aw/agent/improvement-themes.json\n" + run: "mkdir -p /tmp/gh-aw/agent\n# Sample documentation files (eliminates agent exploratory find turns)\nfind docs/src/content/docs \\( -name '*.md' -o -name '*.mdx' \\) | shuf -n 2 > /tmp/gh-aw/agent/doc-samples.txt\n# Sample workflows with messages (pre-compute instead of agent grep)\ngrep -rl \"messages:\" .github/workflows/ --include=\"*.md\" | shuf -n 2 > /tmp/gh-aw/agent/workflow-samples.txt\n# Sample validation files\nfind pkg -name '*validation*.go' | shuf -n 1 > /tmp/gh-aw/agent/validation-sample.txt || echo \"No validation files found\" > /tmp/gh-aw/agent/validation-sample.txt\n# Load historical memory (eliminates agent memory-read turns)\ncat memory/delight/previous-findings.json 2>/dev/null > /tmp/gh-aw/agent/previous-findings.json || echo \"[]\" > /tmp/gh-aw/agent/previous-findings.json\ncat memory/delight/improvement-themes.json 2>/dev/null > /tmp/gh-aw/agent/improvement-themes.json || echo \"[]\" > /tmp/gh-aw/agent/improvement-themes.json" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 442b31a476b..8b5501b7208 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -552,7 +552,7 @@ jobs: name: Prefetch dependabot burner context uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: - script: "const fs = require('fs');\nconst path = require('path');\n\nconst manifestTargets = new Set([\n '.github/workflows/package.json',\n '.github/workflows/package-lock.json',\n '.github/workflows/requirements.txt',\n '.github/workflows/go.mod',\n]);\nconst objective = (process.env.BURN_OBJECTIVE || '').trim() || 'Close grouped Dependabot PRs for generated workflow manifests by updating source workflow markdown and recompiling in one replacement PR.';\nconst outPath = '/tmp/gh-aw/agent/dependabot-burner/context.json';\n\nfunction parseBumpTitle(title) {\n const match = String(title || '').match(/^Bump\\s+(.+?)\\s+from\\s+([^\\s]+)\\s+to\\s+([^\\s]+)$/i);\n if (!match) {\n return {\n dependency_name: String(title || '').trim(),\n current_version: '',\n target_version: '',\n title_parse_mode: 'fallback',\n };\n }\n return {\n dependency_name: match[1],\n current_version: match[2],\n target_version: match[3],\n title_parse_mode: 'parsed',\n };\n}\n\nfunction normalizeManifestFamily(filename) {\n if (filename.includes('package')) {\n return 'npm';\n }\n if (filename.endsWith('requirements.txt')) {\n return 'pip';\n }\n if (filename.endsWith('go.mod')) {\n return 'go';\n }\n return 'other';\n}\n\nfunction summarizeFamilies(files) {\n return [...new Set((files || []).map(normalizeManifestFamily))].sort();\n}\n\nfunction getTriggerPRNumber() {\n if (context.payload.pull_request?.number) {\n return Number(context.payload.pull_request.number);\n }\n if (context.payload.issue?.pull_request && context.payload.issue?.number) {\n return Number(context.payload.issue.number);\n }\n return null;\n}\n\nasync function loadPullFiles(pullNumber) {\n const files = await github.paginate(github.rest.pulls.listFiles, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n pull_number: pullNumber,\n per_page: 100,\n });\n return files.map((file) => file.filename).filter((filename) => manifestTargets.has(filename));\n}\n\nasync function listOpenDependabotPRs() {\n const pulls = await github.paginate(github.rest.pulls.list, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n state: 'open',\n per_page: 100,\n });\n\n const candidates = [];\n for (const pull of pulls) {\n const author = pull.user?.login || '';\n if (author !== 'dependabot[bot]' && author !== 'app/dependabot') {\n continue;\n }\n\n const manifestFiles = await loadPullFiles(pull.number);\n if (manifestFiles.length === 0) {\n continue;\n }\n\n const parsed = parseBumpTitle(pull.title);\n candidates.push({\n number: pull.number,\n title: pull.title,\n dependency_name: parsed.dependency_name,\n current_version: parsed.current_version,\n target_version: parsed.target_version,\n title_parse_mode: parsed.title_parse_mode,\n manifest_files: manifestFiles,\n manifest_families: summarizeFamilies(manifestFiles),\n created_at: pull.created_at,\n updated_at: pull.updated_at,\n url: pull.html_url,\n });\n }\n\n return candidates.sort((a, b) => new Date(a.created_at).getTime() - new Date(b.created_at).getTime());\n}\n\nasync function listRecentClosedBurnerPRs() {\n const pulls = await github.paginate(github.rest.pulls.list, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n state: 'closed',\n per_page: 100,\n });\n\n return pulls\n .filter((pull) => pull.title?.startsWith('[dependabot-burner] ') && !pull.merged_at)\n .slice(0, 20)\n .map((pull) => ({\n number: pull.number,\n title: pull.title,\n body: pull.body || '',\n url: pull.html_url,\n closed_at: pull.closed_at,\n created_at: pull.created_at,\n }))\n .sort((a, b) => new Date(b.closed_at || b.created_at).getTime() - new Date(a.closed_at || a.created_at).getTime());\n}\n\nconst triggerPRNumber = getTriggerPRNumber();\nconst openPRs = await listOpenDependabotPRs();\nconst recentFailedBurns = await listRecentClosedBurnerPRs();\n\nlet triggerPR = openPRs.find((pull) => pull.number === triggerPRNumber) || null;\nlet selectionReason = triggerPRNumber ? 'slash-command-trigger-not-in-scope' : 'bundle-all-open-manifest-prs';\nlet selectedPRs = openPRs;\n\nif (triggerPRNumber) {\n if (!triggerPR) {\n const manifestFiles = await loadPullFiles(triggerPRNumber);\n if (manifestFiles.length > 0) {\n const pull = await github.rest.pulls.get({\n owner: context.repo.owner,\n repo: context.repo.repo,\n pull_number: triggerPRNumber,\n });\n const parsed = parseBumpTitle(pull.data.title);\n triggerPR = {\n number: pull.data.number,\n title: pull.data.title,\n dependency_name: parsed.dependency_name,\n current_version: parsed.current_version,\n target_version: parsed.target_version,\n title_parse_mode: parsed.title_parse_mode,\n manifest_files: manifestFiles,\n manifest_families: summarizeFamilies(manifestFiles),\n created_at: pull.data.created_at,\n updated_at: pull.data.updated_at,\n url: pull.data.html_url,\n };\n }\n }\n\n if (triggerPR) {\n const triggerFiles = new Set(triggerPR.manifest_files || []);\n selectedPRs = openPRs.filter((pull) => {\n if (pull.number === triggerPR.number) {\n return true;\n }\n return (pull.manifest_files || []).some((file) => triggerFiles.has(file));\n });\n selectionReason = 'slash-command-similar-prs';\n } else {\n selectedPRs = [];\n }\n}\n\nconst payload = {\n objective,\n trigger_event: context.eventName,\n trigger_pr_number: triggerPRNumber,\n trigger_pr: triggerPR,\n selection_reason: selectionReason,\n open_pr_count: openPRs.length,\n selected_batch_pr_numbers: selectedPRs.map((pull) => pull.number),\n selected_batch_dependencies: selectedPRs.map((pull) => ({\n pr_number: pull.number,\n dependency_name: pull.dependency_name,\n current_version: pull.current_version,\n target_version: pull.target_version,\n title_parse_mode: pull.title_parse_mode,\n manifest_files: pull.manifest_files,\n manifest_families: pull.manifest_families,\n title: pull.title,\n url: pull.url,\n })),\n related_prs: triggerPRNumber ? selectedPRs.filter((pull) => pull.number !== triggerPRNumber) : [],\n recent_failed_burns: recentFailedBurns,\n};\n\nfs.mkdirSync(path.dirname(outPath), { recursive: true });\nfs.writeFileSync(outPath, JSON.stringify(payload, null, 2) + '\\n', 'utf8');\nconsole.log(JSON.stringify(payload, null, 2));\n" + script: "const fs = require('fs');\nconst path = require('path');\n\nconst manifestTargets = new Set([\n '.github/workflows/package.json',\n '.github/workflows/package-lock.json',\n '.github/workflows/requirements.txt',\n '.github/workflows/go.mod',\n]);\nconst objective = (process.env.BURN_OBJECTIVE || '').trim() || 'Close grouped Dependabot PRs for generated workflow manifests by updating source workflow markdown and recompiling in one replacement PR.';\nconst outPath = '/tmp/gh-aw/agent/dependabot-burner/context.json';\n\nfunction parseBumpTitle(title) {\n const match = String(title || '').match(/^Bump\\s+(.+?)\\s+from\\s+([^\\s]+)\\s+to\\s+([^\\s]+)$/i);\n if (!match) {\n return {\n dependency_name: String(title || '').trim(),\n current_version: '',\n target_version: '',\n title_parse_mode: 'fallback',\n };\n }\n return {\n dependency_name: match[1],\n current_version: match[2],\n target_version: match[3],\n title_parse_mode: 'parsed',\n };\n}\n\nfunction normalizeManifestFamily(filename) {\n if (filename.includes('package')) {\n return 'npm';\n }\n if (filename.endsWith('requirements.txt')) {\n return 'pip';\n }\n if (filename.endsWith('go.mod')) {\n return 'go';\n }\n return 'other';\n}\n\nfunction summarizeFamilies(files) {\n return [...new Set((files || []).map(normalizeManifestFamily))].sort();\n}\n\nfunction getTriggerPRNumber() {\n if (context.payload.pull_request?.number) {\n return Number(context.payload.pull_request.number);\n }\n if (context.payload.issue?.pull_request && context.payload.issue?.number) {\n return Number(context.payload.issue.number);\n }\n return null;\n}\n\nasync function loadPullFiles(pullNumber) {\n const files = await github.paginate(github.rest.pulls.listFiles, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n pull_number: pullNumber,\n per_page: 100,\n });\n return files.map((file) => file.filename).filter((filename) => manifestTargets.has(filename));\n}\n\nasync function listOpenDependabotPRs() {\n const pulls = await github.paginate(github.rest.pulls.list, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n state: 'open',\n per_page: 100,\n });\n\n const candidates = [];\n for (const pull of pulls) {\n const author = pull.user?.login || '';\n if (author !== 'dependabot[bot]' && author !== 'app/dependabot') {\n continue;\n }\n\n const manifestFiles = await loadPullFiles(pull.number);\n if (manifestFiles.length === 0) {\n continue;\n }\n\n const parsed = parseBumpTitle(pull.title);\n candidates.push({\n number: pull.number,\n title: pull.title,\n dependency_name: parsed.dependency_name,\n current_version: parsed.current_version,\n target_version: parsed.target_version,\n title_parse_mode: parsed.title_parse_mode,\n manifest_files: manifestFiles,\n manifest_families: summarizeFamilies(manifestFiles),\n created_at: pull.created_at,\n updated_at: pull.updated_at,\n url: pull.html_url,\n });\n }\n\n return candidates.sort((a, b) => new Date(a.created_at).getTime() - new Date(b.created_at).getTime());\n}\n\nasync function listRecentClosedBurnerPRs() {\n const pulls = await github.paginate(github.rest.pulls.list, {\n owner: context.repo.owner,\n repo: context.repo.repo,\n state: 'closed',\n per_page: 100,\n });\n\n return pulls\n .filter((pull) => pull.title?.startsWith('[dependabot-burner] ') && !pull.merged_at)\n .slice(0, 20)\n .map((pull) => ({\n number: pull.number,\n title: pull.title,\n body: pull.body || '',\n url: pull.html_url,\n closed_at: pull.closed_at,\n created_at: pull.created_at,\n }))\n .sort((a, b) => new Date(b.closed_at || b.created_at).getTime() - new Date(a.closed_at || a.created_at).getTime());\n}\n\nconst triggerPRNumber = getTriggerPRNumber();\nconst openPRs = await listOpenDependabotPRs();\nconst recentFailedBurns = await listRecentClosedBurnerPRs();\n\nlet triggerPR = openPRs.find((pull) => pull.number === triggerPRNumber) || null;\nlet selectionReason = triggerPRNumber ? 'slash-command-trigger-not-in-scope' : 'bundle-all-open-manifest-prs';\nlet selectedPRs = openPRs;\n\nif (triggerPRNumber) {\n if (!triggerPR) {\n const manifestFiles = await loadPullFiles(triggerPRNumber);\n if (manifestFiles.length > 0) {\n const pull = await github.rest.pulls.get({\n owner: context.repo.owner,\n repo: context.repo.repo,\n pull_number: triggerPRNumber,\n });\n const parsed = parseBumpTitle(pull.data.title);\n triggerPR = {\n number: pull.data.number,\n title: pull.data.title,\n dependency_name: parsed.dependency_name,\n current_version: parsed.current_version,\n target_version: parsed.target_version,\n title_parse_mode: parsed.title_parse_mode,\n manifest_files: manifestFiles,\n manifest_families: summarizeFamilies(manifestFiles),\n created_at: pull.data.created_at,\n updated_at: pull.data.updated_at,\n url: pull.data.html_url,\n };\n }\n }\n\n if (triggerPR) {\n const triggerFiles = new Set(triggerPR.manifest_files || []);\n selectedPRs = openPRs.filter((pull) => {\n if (pull.number === triggerPR.number) {\n return true;\n }\n return (pull.manifest_files || []).some((file) => triggerFiles.has(file));\n });\n selectionReason = 'slash-command-similar-prs';\n } else {\n selectedPRs = [];\n }\n}\n\nconst payload = {\n objective,\n trigger_event: context.eventName,\n trigger_pr_number: triggerPRNumber,\n trigger_pr: triggerPR,\n selection_reason: selectionReason,\n open_pr_count: openPRs.length,\n selected_batch_pr_numbers: selectedPRs.map((pull) => pull.number),\n selected_batch_dependencies: selectedPRs.map((pull) => ({\n pr_number: pull.number,\n dependency_name: pull.dependency_name,\n current_version: pull.current_version,\n target_version: pull.target_version,\n title_parse_mode: pull.title_parse_mode,\n manifest_files: pull.manifest_files,\n manifest_families: pull.manifest_families,\n title: pull.title,\n url: pull.url,\n })),\n related_prs: triggerPRNumber ? selectedPRs.filter((pull) => pull.number !== triggerPRNumber) : [],\n recent_failed_burns: recentFailedBurns,\n};\n\nfs.mkdirSync(path.dirname(outPath), { recursive: true });\nfs.writeFileSync(outPath, JSON.stringify(payload, null, 2) + '\\n', 'utf8');\nconsole.log(JSON.stringify(payload, null, 2));" # Cache configuration from frontmatter processed below - name: Dependabot burner selection context diff --git a/.github/workflows/design-decision-gate.lock.yml b/.github/workflows/design-decision-gate.lock.yml index df307f82470..45dcbd4276d 100644 --- a/.github/workflows/design-decision-gate.lock.yml +++ b/.github/workflows/design-decision-gate.lock.yml @@ -572,7 +572,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.pull_request.number || github.event.inputs.pr_number }} name: Pre-fetch ADR gate PR context - run: "set -euo pipefail\n\nif [ \"$EXPR_GITHUB_EVENT_NAME\" = \"workflow_dispatch\" ] && [ -z \"${PR_NUMBER:-}\" ]; then\n echo \"::error::workflow_dispatch requires inputs.pr_number\"\n exit 1\nfi\n\nmkdir -p /tmp/gh-aw/agent\n\ngh pr view \"$PR_NUMBER\" \\\n --repo \"$EXPR_GITHUB_REPOSITORY\" \\\n --json number,title,body,labels,baseRefName,headRefName,author,url \\\n > /tmp/gh-aw/agent/pr.json\n\ngh api --paginate \"repos/$EXPR_GITHUB_REPOSITORY/pulls/$PR_NUMBER/files?per_page=100\" \\\n --jq '.[]' | jq -s '.' > /tmp/gh-aw/agent/pr-files.json\n\nFILE_COUNT=$(jq 'length' /tmp/gh-aw/agent/pr-files.json)\n\nif [ \"$FILE_COUNT\" -gt 300 ]; then\n echo \"::warning::PR has $FILE_COUNT changed files (exceeds the 300-file GitHub diff API limit). Skipping full diff; file listing is available in pr-files.json.\"\n printf '# Diff unavailable: PR has %s changed files (exceeds the 300-file GitHub diff API limit).\\n# Use pr-files.json for the full file listing instead.\\n' \"$FILE_COUNT\" \\\n > /tmp/gh-aw/agent/pr.diff\nelse\n gh pr diff \"$PR_NUMBER\" \\\n --repo \"$EXPR_GITHUB_REPOSITORY\" \\\n > /tmp/gh-aw/agent/pr.diff\nfi\n\nif [ -f \"$EXPR_GITHUB_WORKSPACE/.design-gate.yml\" ]; then\n cp \"$EXPR_GITHUB_WORKSPACE/.design-gate.yml\" /tmp/gh-aw/agent/design-gate-config.yml\n HAS_CUSTOM_CONFIG=true\nelse\n echo \"No .design-gate.yml found — using defaults\" > /tmp/gh-aw/agent/design-gate-config.yml\n HAS_CUSTOM_CONFIG=false\nfi\n\nBUSINESS_ADDITIONS_DEFAULT=$(jq '[.[] | select(.filename | test(\"^(src|lib|pkg|internal|app|core|domain|services|api)/\")) | .additions] | add // 0' /tmp/gh-aw/agent/pr-files.json)\nHAS_IMPLEMENTATION_LABEL=$(jq '[.labels[]?.name] | index(\"implementation\") != null' /tmp/gh-aw/agent/pr.json)\n\njq -n \\\n --argjson default_business_additions \"$BUSINESS_ADDITIONS_DEFAULT\" \\\n --argjson has_implementation_label \"$HAS_IMPLEMENTATION_LABEL\" \\\n --argjson has_custom_config \"$HAS_CUSTOM_CONFIG\" \\\n --arg pr_number \"$PR_NUMBER\" \\\n --arg threshold \"100\" \\\n --argjson file_count \"$FILE_COUNT\" \\\n --argjson diff_available \"$(jq -n --argjson fc \"$FILE_COUNT\" 'if $fc <= 300 then true else false end')\" \\\n '{\n pr_number: ($pr_number | tonumber),\n threshold: ($threshold | tonumber),\n has_custom_config: $has_custom_config,\n has_implementation_label: $has_implementation_label,\n default_business_additions: $default_business_additions,\n requires_adr_by_default_volume: ($default_business_additions > ($threshold | tonumber)),\n file_count: $file_count,\n diff_available: $diff_available\n }' > /tmp/gh-aw/agent/adr-prefetch-summary.json\n" + run: "set -euo pipefail\n\nif [ \"$EXPR_GITHUB_EVENT_NAME\" = \"workflow_dispatch\" ] && [ -z \"${PR_NUMBER:-}\" ]; then\n echo \"::error::workflow_dispatch requires inputs.pr_number\"\n exit 1\nfi\n\nmkdir -p /tmp/gh-aw/agent\n\ngh pr view \"$PR_NUMBER\" \\\n --repo \"$EXPR_GITHUB_REPOSITORY\" \\\n --json number,title,body,labels,baseRefName,headRefName,author,url \\\n > /tmp/gh-aw/agent/pr.json\n\ngh api --paginate \"repos/$EXPR_GITHUB_REPOSITORY/pulls/$PR_NUMBER/files?per_page=100\" \\\n --jq '.[]' | jq -s '.' > /tmp/gh-aw/agent/pr-files.json\n\nFILE_COUNT=$(jq 'length' /tmp/gh-aw/agent/pr-files.json)\n\nif [ \"$FILE_COUNT\" -gt 300 ]; then\n echo \"::warning::PR has $FILE_COUNT changed files (exceeds the 300-file GitHub diff API limit). Skipping full diff; file listing is available in pr-files.json.\"\n printf '# Diff unavailable: PR has %s changed files (exceeds the 300-file GitHub diff API limit).\\n# Use pr-files.json for the full file listing instead.\\n' \"$FILE_COUNT\" \\\n > /tmp/gh-aw/agent/pr.diff\nelse\n gh pr diff \"$PR_NUMBER\" \\\n --repo \"$EXPR_GITHUB_REPOSITORY\" \\\n > /tmp/gh-aw/agent/pr.diff\nfi\n\nif [ -f \"$EXPR_GITHUB_WORKSPACE/.design-gate.yml\" ]; then\n cp \"$EXPR_GITHUB_WORKSPACE/.design-gate.yml\" /tmp/gh-aw/agent/design-gate-config.yml\n HAS_CUSTOM_CONFIG=true\nelse\n echo \"No .design-gate.yml found — using defaults\" > /tmp/gh-aw/agent/design-gate-config.yml\n HAS_CUSTOM_CONFIG=false\nfi\n\nBUSINESS_ADDITIONS_DEFAULT=$(jq '[.[] | select(.filename | test(\"^(src|lib|pkg|internal|app|core|domain|services|api)/\")) | .additions] | add // 0' /tmp/gh-aw/agent/pr-files.json)\nHAS_IMPLEMENTATION_LABEL=$(jq '[.labels[]?.name] | index(\"implementation\") != null' /tmp/gh-aw/agent/pr.json)\n\njq -n \\\n --argjson default_business_additions \"$BUSINESS_ADDITIONS_DEFAULT\" \\\n --argjson has_implementation_label \"$HAS_IMPLEMENTATION_LABEL\" \\\n --argjson has_custom_config \"$HAS_CUSTOM_CONFIG\" \\\n --arg pr_number \"$PR_NUMBER\" \\\n --arg threshold \"100\" \\\n --argjson file_count \"$FILE_COUNT\" \\\n --argjson diff_available \"$(jq -n --argjson fc \"$FILE_COUNT\" 'if $fc <= 300 then true else false end')\" \\\n '{\n pr_number: ($pr_number | tonumber),\n threshold: ($threshold | tonumber),\n has_custom_config: $has_custom_config,\n has_implementation_label: $has_implementation_label,\n default_business_additions: $default_business_additions,\n requires_adr_by_default_volume: ($default_business_additions > ($threshold | tonumber)),\n file_count: $file_count,\n diff_available: $diff_available\n }' > /tmp/gh-aw/agent/adr-prefetch-summary.json" - name: Configure Git credentials env: diff --git a/.github/workflows/designer-drift-audit.lock.yml b/.github/workflows/designer-drift-audit.lock.yml index d4a8dd3625c..8d1696dff2c 100644 --- a/.github/workflows/designer-drift-audit.lock.yml +++ b/.github/workflows/designer-drift-audit.lock.yml @@ -453,7 +453,7 @@ jobs: - name: Extract designer file metadata run: "# Skill file\nSKILL=\".github/skills/agentic-workflow-designer/SKILL.md\"\nif [ -f \"$SKILL\" ]; then\n {\n echo \"=== SKILL.md ===\"\n grep -n '^##' \"$SKILL\" | head -50\n echo \"---\"\n # Decision heuristic tables\n grep -E '^\\|.*\\|' \"$SKILL\" | grep -ivE '^\\|[\\s-]+\\|' | head -60\n echo \"---\"\n # Explicit references to .github/aw/ files\n grep -n '\\.github/aw/' \"$SKILL\" || true\n echo \"===\"\n } > /tmp/gh-aw/data/designer-skill.txt\nfi\n\n# Agent file\nAGENT=\".github/agents/interactive-agent-designer.agent.md\"\nif [ -f \"$AGENT\" ]; then\n {\n echo \"=== interactive-agent-designer.agent.md ===\"\n grep -n '^##' \"$AGENT\" | head -50\n echo \"---\"\n grep -E '^\\|.*\\|' \"$AGENT\" | grep -ivE '^\\|[\\s-]+\\|' | head -60\n echo \"---\"\n grep -n '\\.github/aw/' \"$AGENT\" || true\n echo \"===\"\n } > /tmp/gh-aw/data/designer-agent.txt\nfi\n" - name: Collect recent changes to reference docs - run: "# Commits in the last 7 days that touched reference docs\ngit log --oneline --since=\"7 days ago\" -- \\\n .github/aw/syntax.md \\\n .github/aw/safe-outputs.md \\\n .github/aw/network.md \\\n .github/aw/patterns.md \\\n .github/aw/subagents.md \\\n .github/aw/token-optimization.md \\\n .github/aw/triggers.md \\\n .github/aw/create-agentic-workflow.md \\\n > /tmp/gh-aw/data/recent-ref-commits.txt 2>/dev/null || true\n\n# Commits in the last 7 days that touched designer files\ngit log --oneline --since=\"7 days ago\" -- \\\n .github/skills/agentic-workflow-designer/SKILL.md \\\n .github/agents/interactive-agent-designer.agent.md \\\n > /tmp/gh-aw/data/recent-designer-commits.txt 2>/dev/null || true\n\n# New or changed safe output types (from validation config in Go)\ngrep -oP '\"(\\w+)\":\\s*\\{' pkg/workflow/safe_outputs_validation_config.go \\\n | sed 's/\": {//' | tr -d '\"' | sort \\\n > /tmp/gh-aw/data/all-safe-output-types.txt 2>/dev/null || true\n" + run: "# Commits in the last 7 days that touched reference docs\ngit log --oneline --since=\"7 days ago\" -- \\\n .github/aw/syntax.md \\\n .github/aw/safe-outputs.md \\\n .github/aw/network.md \\\n .github/aw/patterns.md \\\n .github/aw/subagents.md \\\n .github/aw/token-optimization.md \\\n .github/aw/triggers.md \\\n .github/aw/create-agentic-workflow.md \\\n > /tmp/gh-aw/data/recent-ref-commits.txt 2>/dev/null || true\n\n# Commits in the last 7 days that touched designer files\ngit log --oneline --since=\"7 days ago\" -- \\\n .github/skills/agentic-workflow-designer/SKILL.md \\\n .github/agents/interactive-agent-designer.agent.md \\\n > /tmp/gh-aw/data/recent-designer-commits.txt 2>/dev/null || true\n\n# New or changed safe output types (from validation config in Go)\ngrep -oP '\"(\\w+)\":\\s*\\{' pkg/workflow/safe_outputs_validation_config.go \\\n | sed 's/\": {//' | tr -d '\"' | sort \\\n > /tmp/gh-aw/data/all-safe-output-types.txt 2>/dev/null || true" - name: Configure Git credentials env: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 2fa3bdc6938..8189b40dc2a 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -557,7 +557,7 @@ jobs: - name: Wait for server readiness run: "MAX_WAIT=135 # 45 attempts × 3s = 135s max wait\nWAITED=0\nuntil (echo > /dev/tcp/127.0.0.1/4321) > /dev/null 2>&1; do\n # Check if the server process has already died\n if [ -f /tmp/gh-aw/agent/server.pid ] && ! kill -0 \"$(cat /tmp/gh-aw/agent/server.pid)\" 2>/dev/null; then\n echo \"::error::Documentation server process died before opening port 4321. Server log:\"\n cat /tmp/gh-aw/agent/preview.log\n exit 1\n fi\n WAITED=$((WAITED + 3))\n if [ $WAITED -ge $MAX_WAIT ]; then\n echo \"::error::Documentation server port 4321 did not open after ${MAX_WAIT}s. Server log:\"\n cat /tmp/gh-aw/agent/preview.log\n exit 1\n fi\n echo \"Waiting for docs port... ($WAITED/${MAX_WAIT}s)\"\n sleep 3\ndone\nWAITED=0\nuntil curl -sf http://localhost:4321/gh-aw/ > /dev/null 2>&1; do\n # Check if the server process has already died\n if [ -f /tmp/gh-aw/agent/server.pid ] && ! kill -0 \"$(cat /tmp/gh-aw/agent/server.pid)\" 2>/dev/null; then\n echo \"::error::Documentation server process died before becoming ready. Server log:\"\n cat /tmp/gh-aw/agent/preview.log\n exit 1\n fi\n WAITED=$((WAITED + 3))\n if [ $WAITED -ge $MAX_WAIT ]; then\n echo \"::error::Documentation server did not start after ${MAX_WAIT}s. Server log:\"\n cat /tmp/gh-aw/agent/preview.log\n exit 1\n fi\n echo \"Waiting for server... ($WAITED/${MAX_WAIT}s)\"\n sleep 3\ndone\necho \"Server ready at http://localhost:4321/gh-aw/!\"\n" - name: Write server URL for agent - run: "mkdir -p /tmp/gh-aw/agent\necho \"http://localhost:4321/gh-aw/\" > /tmp/gh-aw/agent/server-url.txt\necho \"Server URL: http://localhost:4321/gh-aw/\"\n" + run: "mkdir -p /tmp/gh-aw/agent\necho \"http://localhost:4321/gh-aw/\" > /tmp/gh-aw/agent/server-url.txt\necho \"Server URL: http://localhost:4321/gh-aw/\"" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/eslint-monster.lock.yml b/.github/workflows/eslint-monster.lock.yml index 4a833cb5297..4f0ea2bbfd4 100644 --- a/.github/workflows/eslint-monster.lock.yml +++ b/.github/workflows/eslint-monster.lock.yml @@ -473,7 +473,7 @@ jobs: GH_TOKEN: ${{ github.token }} - id: eslint_scan name: Run ESLint factory pre-check - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\nrm -f /tmp/gh-aw/agent/lint-clean.flag\nREPO_ROOT=\"$(pwd)\"\n\ncd eslint-factory\nnpm ci > /tmp/gh-aw/agent/eslint-factory.log 2>&1\n\nif npm run lint:setup-js >> /tmp/gh-aw/agent/eslint-factory.log 2>&1; then\n : > /tmp/gh-aw/agent/eslint-diagnostics.txt\n : > /tmp/gh-aw/agent/skill-index.txt\n touch /tmp/gh-aw/agent/lint-clean.flag\n exit 0\nfi\n\ngrep -E '^[^:]+:[0-9]+:[0-9]+:' /tmp/gh-aw/agent/eslint-factory.log > /tmp/gh-aw/agent/eslint-diagnostics.txt || true\ndiag_count=$(wc -l < /tmp/gh-aw/agent/eslint-diagnostics.txt | tr -d ' ')\nif [ \"${diag_count}\" -eq 0 ]; then\n grep -E '^[[:space:]]*[^[:space:]].*$' /tmp/gh-aw/agent/eslint-factory.log | head -n 80 > /tmp/gh-aw/agent/eslint-diagnostics.txt || true\nfi\n\nfind \"${REPO_ROOT}/.github/skills\" -maxdepth 6 -name 'SKILL.md' | sort > /tmp/gh-aw/agent/skill-index.txt\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\nrm -f /tmp/gh-aw/agent/lint-clean.flag\nREPO_ROOT=\"$(pwd)\"\n\ncd eslint-factory\nnpm ci > /tmp/gh-aw/agent/eslint-factory.log 2>&1\n\nif npm run lint:setup-js >> /tmp/gh-aw/agent/eslint-factory.log 2>&1; then\n : > /tmp/gh-aw/agent/eslint-diagnostics.txt\n : > /tmp/gh-aw/agent/skill-index.txt\n touch /tmp/gh-aw/agent/lint-clean.flag\n exit 0\nfi\n\ngrep -E '^[^:]+:[0-9]+:[0-9]+:' /tmp/gh-aw/agent/eslint-factory.log > /tmp/gh-aw/agent/eslint-diagnostics.txt || true\ndiag_count=$(wc -l < /tmp/gh-aw/agent/eslint-diagnostics.txt | tr -d ' ')\nif [ \"${diag_count}\" -eq 0 ]; then\n grep -E '^[[:space:]]*[^[:space:]].*$' /tmp/gh-aw/agent/eslint-factory.log | head -n 80 > /tmp/gh-aw/agent/eslint-diagnostics.txt || true\nfi\n\nfind \"${REPO_ROOT}/.github/skills\" -maxdepth 6 -name 'SKILL.md' | sort > /tmp/gh-aw/agent/skill-index.txt" - name: Configure Git credentials env: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index af19e7091e7..f56aa642481 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -534,7 +534,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Fetch recent changes - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\n# Determine scan scope: Monday = full weekly scan, other weekdays = daily\nDAY=$(date +%u)\nif [ \"$DAY\" -eq 1 ]; then\n SINCE=\"7 days ago\"\n SCOPE=\"weekly\"\nelse\n SINCE=\"24 hours ago\"\n SCOPE=\"daily\"\nfi\n\necho \"Scan scope: $SCOPE (since: $SINCE)\"\n\n# Fetch recent commits (all files) — includes file names for context\ngit log --since=\"$SINCE\" --oneline --name-only \\\n > /tmp/gh-aw/agent/recent-commits.txt\n\n# Fetch commits that touched docs\ngit log --since=\"$SINCE\" --name-only \\\n --format=\"%H %s\" -- 'docs/**/*.md' 'docs/**/*.mdx' \\\n > /tmp/gh-aw/agent/doc-changes.txt\n\necho \"Recent commits: $(wc -l < /tmp/gh-aw/agent/recent-commits.txt)\"\necho \"Doc file changes: $(wc -l < /tmp/gh-aw/agent/doc-changes.txt)\"\necho \"$SCOPE\" > /tmp/gh-aw/agent/scan-scope.txt\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\n# Determine scan scope: Monday = full weekly scan, other weekdays = daily\nDAY=$(date +%u)\nif [ \"$DAY\" -eq 1 ]; then\n SINCE=\"7 days ago\"\n SCOPE=\"weekly\"\nelse\n SINCE=\"24 hours ago\"\n SCOPE=\"daily\"\nfi\n\necho \"Scan scope: $SCOPE (since: $SINCE)\"\n\n# Fetch recent commits (all files) — includes file names for context\ngit log --since=\"$SINCE\" --oneline --name-only \\\n > /tmp/gh-aw/agent/recent-commits.txt\n\n# Fetch commits that touched docs\ngit log --since=\"$SINCE\" --name-only \\\n --format=\"%H %s\" -- 'docs/**/*.md' 'docs/**/*.mdx' \\\n > /tmp/gh-aw/agent/doc-changes.txt\n\necho \"Recent commits: $(wc -l < /tmp/gh-aw/agent/recent-commits.txt)\"\necho \"Doc file changes: $(wc -l < /tmp/gh-aw/agent/doc-changes.txt)\"\necho \"$SCOPE\" > /tmp/gh-aw/agent/scan-scope.txt" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index fb5a0f15a3d..e9a78be3a2f 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -529,7 +529,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download SBOM from GitHub Dependency Graph API - run: "set -e\necho \"📦 Downloading SBOM from GitHub Dependency Graph API...\"\n\n# Download SBOM using gh CLI (requires contents: read permission)\ngh api \\\n -H \"Accept: application/vnd.github+json\" \\\n -H \"X-GitHub-Api-Version: 2022-11-28\" \\\n \"/repos/$GITHUB_REPOSITORY/dependency-graph/sbom\" \\\n > /tmp/gh-aw/agent/sbom.json\n\necho \"✅ SBOM downloaded successfully to /tmp/gh-aw/agent/sbom.json\"\n\n# Show SBOM summary\nif command -v jq &> /dev/null; then\n PACKAGE_COUNT=$(jq '.sbom.packages | length' /tmp/gh-aw/agent/sbom.json 2>/dev/null || echo \"unknown\")\n echo \"📊 SBOM contains ${PACKAGE_COUNT} packages\"\nfi\n" + run: "set -e\necho \"📦 Downloading SBOM from GitHub Dependency Graph API...\"\n\n# Download SBOM using gh CLI (requires contents: read permission)\ngh api \\\n -H \"Accept: application/vnd.github+json\" \\\n -H \"X-GitHub-Api-Version: 2022-11-28\" \\\n \"/repos/$GITHUB_REPOSITORY/dependency-graph/sbom\" \\\n > /tmp/gh-aw/agent/sbom.json\n\necho \"✅ SBOM downloaded successfully to /tmp/gh-aw/agent/sbom.json\"\n\n# Show SBOM summary\nif command -v jq &> /dev/null; then\n PACKAGE_COUNT=$(jq '.sbom.packages | length' /tmp/gh-aw/agent/sbom.json 2>/dev/null || echo \"unknown\")\n echo \"📊 SBOM contains ${PACKAGE_COUNT} packages\"\nfi" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory diff --git a/.github/workflows/impeccable-skills-reviewer.lock.yml b/.github/workflows/impeccable-skills-reviewer.lock.yml index 95827d1eea9..5c3bcf85714 100644 --- a/.github/workflows/impeccable-skills-reviewer.lock.yml +++ b/.github/workflows/impeccable-skills-reviewer.lock.yml @@ -558,7 +558,7 @@ jobs: PR_DIFF_MAX_LINES: "3000" PR_NUMBER: ${{ github.event.pull_request.number }} name: Pre-fetch PR diff - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n{ gh pr diff \"$PR_NUMBER\" --repo $EXPR_GITHUB_REPOSITORY \\\n --exclude '**/*.lock.yml' \\\n --exclude '**/generated/**' \\\n --exclude '**/dist/**' \\\n --exclude '**/build/**' \\\n || true; } | head -n \"${PR_DIFF_MAX_LINES}\" > /tmp/gh-aw/agent/pr-diff.patch\nLINES=$(wc -l < /tmp/gh-aw/agent/pr-diff.patch)\ngh pr view \"$PR_NUMBER\" \\\n --repo $EXPR_GITHUB_REPOSITORY \\\n --json number,title,body,headRefName,additions,deletions,changedFiles,files \\\n > /tmp/gh-aw/agent/pr-meta.json\necho \"Pre-fetched PR diff (${LINES} lines) and metadata\"\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n{ gh pr diff \"$PR_NUMBER\" --repo $EXPR_GITHUB_REPOSITORY \\\n --exclude '**/*.lock.yml' \\\n --exclude '**/generated/**' \\\n --exclude '**/dist/**' \\\n --exclude '**/build/**' \\\n || true; } | head -n \"${PR_DIFF_MAX_LINES}\" > /tmp/gh-aw/agent/pr-diff.patch\nLINES=$(wc -l < /tmp/gh-aw/agent/pr-diff.patch)\ngh pr view \"$PR_NUMBER\" \\\n --repo $EXPR_GITHUB_REPOSITORY \\\n --json number,title,body,headRefName,additions,deletions,changedFiles,files \\\n > /tmp/gh-aw/agent/pr-meta.json\necho \"Pre-fetched PR diff (${LINES} lines) and metadata\"" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 0ad951403dc..d34c6dee11b 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -531,7 +531,7 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh" - name: Fetch issues - run: | + run: |- # Create output directory mkdir -p /tmp/gh-aw/agent/issues-data diff --git a/.github/workflows/lint-monster.lock.yml b/.github/workflows/lint-monster.lock.yml index ca9fe669bcd..63ed27361c8 100644 --- a/.github/workflows/lint-monster.lock.yml +++ b/.github/workflows/lint-monster.lock.yml @@ -468,7 +468,7 @@ jobs: GH_TOKEN: ${{ github.token }} - id: lint_scan name: Run custom lint pre-check - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\nrm -f /tmp/gh-aw/agent/lint-clean.flag\n\nif make golint-custom > /tmp/gh-aw/agent/golint-custom.log 2>&1; then\n : > /tmp/gh-aw/agent/lint-diagnostics.txt\n : > /tmp/gh-aw/agent/skill-index.txt\n touch /tmp/gh-aw/agent/lint-clean.flag\n exit 0\nfi\n\ngrep -E '^[^:]+:[0-9]+:[0-9]+:' /tmp/gh-aw/agent/golint-custom.log > /tmp/gh-aw/agent/lint-diagnostics.txt || true\ndiag_count=$(wc -l < /tmp/gh-aw/agent/lint-diagnostics.txt | tr -d ' ')\nif [ \"${diag_count}\" -eq 0 ]; then\n grep -E '^[[:space:]]*[^[:space:]].*$' /tmp/gh-aw/agent/golint-custom.log | head -n 50 > /tmp/gh-aw/agent/lint-diagnostics.txt || true\n diag_count=$(wc -l < /tmp/gh-aw/agent/lint-diagnostics.txt | tr -d ' ')\nfi\n\nfind .github/skills -maxdepth 6 -name 'SKILL.md' | sort > /tmp/gh-aw/agent/skill-index.txt\necho \"Lint diagnostics captured: ${diag_count}\"\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\nrm -f /tmp/gh-aw/agent/lint-clean.flag\n\nif make golint-custom > /tmp/gh-aw/agent/golint-custom.log 2>&1; then\n : > /tmp/gh-aw/agent/lint-diagnostics.txt\n : > /tmp/gh-aw/agent/skill-index.txt\n touch /tmp/gh-aw/agent/lint-clean.flag\n exit 0\nfi\n\ngrep -E '^[^:]+:[0-9]+:[0-9]+:' /tmp/gh-aw/agent/golint-custom.log > /tmp/gh-aw/agent/lint-diagnostics.txt || true\ndiag_count=$(wc -l < /tmp/gh-aw/agent/lint-diagnostics.txt | tr -d ' ')\nif [ \"${diag_count}\" -eq 0 ]; then\n grep -E '^[[:space:]]*[^[:space:]].*$' /tmp/gh-aw/agent/golint-custom.log | head -n 50 > /tmp/gh-aw/agent/lint-diagnostics.txt || true\n diag_count=$(wc -l < /tmp/gh-aw/agent/lint-diagnostics.txt | tr -d ' ')\nfi\n\nfind .github/skills -maxdepth 6 -name 'SKILL.md' | sort > /tmp/gh-aw/agent/skill-index.txt\necho \"Lint diagnostics captured: ${diag_count}\"" - name: Configure Git credentials env: diff --git a/.github/workflows/linter-miner.lock.yml b/.github/workflows/linter-miner.lock.yml index 2730b9f8134..a0b85e60737 100644 --- a/.github/workflows/linter-miner.lock.yml +++ b/.github/workflows/linter-miner.lock.yml @@ -566,7 +566,7 @@ jobs: GH_AW_SKILL_DIR: ".github/skills" run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh" - name: Preload linter source and cache context - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\n: > /tmp/gh-aw/agent/linters-src.txt\nwhile IFS= read -r -d '' file; do\n printf '\\n===== FILE: %s =====\\n' \"$file\" >> /tmp/gh-aw/agent/linters-src.txt\n cat \"$file\" >> /tmp/gh-aw/agent/linters-src.txt\ndone < <(find pkg/linters -type f -name '*.go' -print0 | sort -z)\ncat .github/skills/go-linters/SKILL.md > /tmp/gh-aw/agent/go-linters-skill.txt\n\nprior_file=\"\"\nif [ -d /tmp/gh-aw/cache-memory ]; then\n prior_file=\"$(find /tmp/gh-aw/cache-memory -maxdepth 4 -type f -name 'proposed-linters.json' | sort | head -n 1 || true)\"\n if [ -z \"${prior_file}\" ]; then\n prior_file=\"$(find /tmp/gh-aw/cache-memory -maxdepth 4 -type f -name 'proposed-linters' | sort | head -n 1 || true)\"\n fi\nfi\nif [ -n \"${prior_file}\" ] && [ -f \"${prior_file}\" ]; then\n cp \"${prior_file}\" /tmp/gh-aw/agent/prior-linters.json\nelse\n echo \"[]\" > /tmp/gh-aw/agent/prior-linters.json\nfi\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\n: > /tmp/gh-aw/agent/linters-src.txt\nwhile IFS= read -r -d '' file; do\n printf '\\n===== FILE: %s =====\\n' \"$file\" >> /tmp/gh-aw/agent/linters-src.txt\n cat \"$file\" >> /tmp/gh-aw/agent/linters-src.txt\ndone < <(find pkg/linters -type f -name '*.go' -print0 | sort -z)\ncat .github/skills/go-linters/SKILL.md > /tmp/gh-aw/agent/go-linters-skill.txt\n\nprior_file=\"\"\nif [ -d /tmp/gh-aw/cache-memory ]; then\n prior_file=\"$(find /tmp/gh-aw/cache-memory -maxdepth 4 -type f -name 'proposed-linters.json' | sort | head -n 1 || true)\"\n if [ -z \"${prior_file}\" ]; then\n prior_file=\"$(find /tmp/gh-aw/cache-memory -maxdepth 4 -type f -name 'proposed-linters' | sort | head -n 1 || true)\"\n fi\nfi\nif [ -n \"${prior_file}\" ] && [ -f \"${prior_file}\" ]; then\n cp \"${prior_file}\" /tmp/gh-aw/agent/prior-linters.json\nelse\n echo \"[]\" > /tmp/gh-aw/agent/prior-linters.json\nfi" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 diff --git a/.github/workflows/mattpocock-skills-reviewer.lock.yml b/.github/workflows/mattpocock-skills-reviewer.lock.yml index 3cabcf0a1ae..926908661cb 100644 --- a/.github/workflows/mattpocock-skills-reviewer.lock.yml +++ b/.github/workflows/mattpocock-skills-reviewer.lock.yml @@ -705,7 +705,7 @@ jobs: GH_TOKEN: ${{ github.token }} PR_NUMBER: ${{ github.event.pull_request.number }} name: Pre-fetch PR diff - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n{ gh pr diff \"$PR_NUMBER\" --repo $EXPR_GITHUB_REPOSITORY \\\n --exclude '**/*.lock.yml' \\\n --exclude '**/generated/**' \\\n --exclude '**/dist/**' \\\n --exclude '**/build/**' \\\n || true; } | head -n 3000 > /tmp/gh-aw/agent/pr-diff.patch\nLINES=$(wc -l < /tmp/gh-aw/agent/pr-diff.patch)\ngh pr view \"$PR_NUMBER\" \\\n --repo $EXPR_GITHUB_REPOSITORY \\\n --json number,title,body,headRefName,additions,deletions,changedFiles,files \\\n > /tmp/gh-aw/agent/pr-meta.json\necho \"Pre-fetched PR diff (${LINES} lines) and metadata\"\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n{ gh pr diff \"$PR_NUMBER\" --repo $EXPR_GITHUB_REPOSITORY \\\n --exclude '**/*.lock.yml' \\\n --exclude '**/generated/**' \\\n --exclude '**/dist/**' \\\n --exclude '**/build/**' \\\n || true; } | head -n 3000 > /tmp/gh-aw/agent/pr-diff.patch\nLINES=$(wc -l < /tmp/gh-aw/agent/pr-diff.patch)\ngh pr view \"$PR_NUMBER\" \\\n --repo $EXPR_GITHUB_REPOSITORY \\\n --json number,title,body,headRefName,additions,deletions,changedFiles,files \\\n > /tmp/gh-aw/agent/pr-meta.json\necho \"Pre-fetched PR diff (${LINES} lines) and metadata\"" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index b450c0e9e14..fd32f482178 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -535,7 +535,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Configure Git credentials - run: "git config user.name \"github-actions[bot]\"\ngit config user.email \"github-actions[bot]@users.noreply.github.com\"\n\n# Create .gitignore to exclude workflow YAML files\ncat > /tmp/gh-aw/agent/merge-gitignore << 'EOF'\n# Exclude all .yml files in .github/workflows/\n.github/workflows/*.yml\nEOF\n" + run: "git config user.name \"github-actions[bot]\"\ngit config user.email \"github-actions[bot]@users.noreply.github.com\"\n\n# Create .gitignore to exclude workflow YAML files\ncat > /tmp/gh-aw/agent/merge-gitignore << 'EOF'\n# Exclude all .yml files in .github/workflows/\n.github/workflows/*.yml\nEOF" - name: Configure Git credentials env: diff --git a/.github/workflows/objective-impact-report.lock.yml b/.github/workflows/objective-impact-report.lock.yml index 4be7bdba8b7..de8be6fa7d6 100644 --- a/.github/workflows/objective-impact-report.lock.yml +++ b/.github/workflows/objective-impact-report.lock.yml @@ -522,7 +522,7 @@ jobs: name: Prepare safe-output issue evaluations uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: - script: "const fs = require(\"fs\");\nconst path = require(\"path\");\nconst { execFileSync } = require(\"child_process\");\nconst {\n evaluateItem,\n normalizeOutcome,\n readJSONL,\n} = require(path.join(process.env.GITHUB_WORKSPACE || process.cwd(), \"actions/setup/js/evaluate_outcomes.cjs\"));\n\nconst DATA_DIR = \"/tmp/gh-aw/agent/objective-impact-report\";\nconst RUNS_DIR = path.join(DATA_DIR, \"safe-output-runs\");\nconst OUTPUT_JSONL = path.join(DATA_DIR, \"safe-output-issue-evaluations.jsonl\");\nconst OUTPUT_SUMMARY = path.join(DATA_DIR, \"safe-output-issue-summary.json\");\n\nfunction readJSON(filePath, fallback) {\n try {\n return JSON.parse(fs.readFileSync(filePath, \"utf8\"));\n } catch {\n return fallback;\n }\n}\n\nfunction writeFileAtomic(filePath, content) {\n const baseName = path.basename(filePath);\n const parentDir = path.dirname(filePath);\n const tmpDir = fs.mkdtempSync(path.join(parentDir, `.${baseName}.tmp-`));\n const tmpFile = path.join(tmpDir, baseName);\n try {\n try {\n fs.writeFileSync(tmpFile, content);\n } catch (err) {\n throw new Error(`failed to write temp file ${tmpFile}`, { cause: err });\n }\n try {\n fs.renameSync(tmpFile, filePath);\n } catch (err) {\n throw new Error(`failed to rename temp file ${tmpFile} to ${filePath}`, { cause: err });\n }\n } finally {\n fs.rmSync(tmpDir, { recursive: true, force: true });\n }\n}\n\nfunction writeJSON(filePath, value) {\n writeFileAtomic(filePath, JSON.stringify(value, null, 2) + \"\\n\");\n}\n\nfunction gh(args) {\n try {\n return execFileSync(\"gh\", args, { encoding: \"utf8\", stdio: [\"pipe\", \"pipe\", \"pipe\"] }).trim();\n } catch {\n return null;\n }\n}\n\nfunction ensureIssueURL(item, repo) {\n if (item.url || typeof item.number !== \"number\" || !repo) {\n return item;\n }\n return {\n ...item,\n url: `https://github.com/${repo}/issues/${item.number}`,\n };\n}\n\nfunction loadRuns() {\n const workflowLogs = readJSON(path.join(DATA_DIR, \"workflow-logs.json\"), {});\n const runs = Array.isArray(workflowLogs.runs) ? workflowLogs.runs : [];\n return runs\n .map(run => ({\n id: Number(run.id ?? run.databaseId ?? 0),\n workflow_name: run.workflow_name || run.workflowName || \"\",\n aic: run.aic ?? null,\n created_at: run.created_at || run.createdAt || \"\",\n status: run.status || \"\",\n conclusion: run.conclusion || \"\",\n url: run.html_url || run.url || \"\",\n }))\n .filter(run => Number.isInteger(run.id) && run.id > 0);\n}\n\nfunction loadManifest(runDir) {\n const manifestPath = path.join(runDir, \"safe-output-items.jsonl\");\n if (!fs.existsSync(manifestPath)) return [];\n return readJSONL(manifestPath);\n}\n\nfunction downloadManifest(repo, runId, runDir) {\n fs.mkdirSync(runDir, { recursive: true });\n const manifestPath = path.join(runDir, \"safe-output-items.jsonl\");\n if (fs.existsSync(manifestPath) && fs.statSync(manifestPath).size > 0) {\n return true;\n }\n const result = gh([\"run\", \"download\", String(runId), \"--repo\", repo, \"--name\", \"safe-outputs-items\", \"--dir\", runDir]);\n return result !== null && fs.existsSync(manifestPath) && fs.statSync(manifestPath).size > 0;\n}\n\nfunction main() {\n const repo = process.env.EXPR_GITHUB_REPOSITORY || process.env.GITHUB_REPOSITORY || \"\";\n if (!repo) {\n console.error(\"EXPR_GITHUB_REPOSITORY or GITHUB_REPOSITORY is required\");\n process.exit(1);\n }\n\n fs.mkdirSync(DATA_DIR, { recursive: true });\n fs.mkdirSync(RUNS_DIR, { recursive: true });\n\n const runs = loadRuns();\n const rows = [];\n\n for (const run of runs) {\n const runDir = path.join(RUNS_DIR, `run-${run.id}`);\n if (!downloadManifest(repo, run.id, runDir)) {\n continue;\n }\n\n const items = loadManifest(runDir)\n .filter(item => item && (item.type === \"create_issue\" || item.type === \"close_issue\"))\n .map(item => ensureIssueURL(item, item.repo || repo));\n\n for (const item of items) {\n const evalResult = evaluateItem(item, repo);\n const normalized = normalizeOutcome(evalResult.result, evalResult.detail);\n rows.push({\n run_id: run.id,\n workflow_name: run.workflow_name,\n workflow_aic: run.aic,\n workflow_run_created_at: run.created_at,\n workflow_run_url: run.url,\n type: item.type,\n repo: item.repo || repo,\n number: typeof item.number === \"number\" ? item.number : null,\n url: item.url || \"\",\n timestamp: item.timestamp || \"\",\n result: evalResult.result,\n detail: evalResult.detail,\n outcome_status: normalized.outcome_status,\n evidence_strength: normalized.evidence_strength,\n signal: normalized.signal,\n resolution_sec: evalResult.resolution_sec,\n pending_age_sec: evalResult.pending_age_sec,\n comments: evalResult.comments,\n reactions_total: evalResult.reactions_total,\n reactions_positive: evalResult.reactions_positive,\n reactions_negative: evalResult.reactions_negative,\n zero_touch: evalResult.zero_touch,\n });\n }\n }\n\n writeFileAtomic(OUTPUT_JSONL, rows.map(row => JSON.stringify(row)).join(\"\\n\") + (rows.length > 0 ? \"\\n\" : \"\"));\n\n const summary = {\n total_issue_outcomes: rows.length,\n create_issue_count: rows.filter(row => row.type === \"create_issue\").length,\n close_issue_count: rows.filter(row => row.type === \"close_issue\").length,\n accepted_count: rows.filter(row => row.outcome_status === \"accepted\").length,\n rejected_count: rows.filter(row => row.outcome_status === \"rejected\").length,\n pending_count: rows.filter(row => row.outcome_status === \"pending\").length,\n ignored_count: rows.filter(row => row.outcome_status === \"ignored\").length,\n unknown_count: rows.filter(row => row.outcome_status === \"unknown\").length,\n distinct_workflows: [...new Set(rows.map(row => row.workflow_name).filter(Boolean))].length,\n distinct_runs_with_issue_outcomes: [...new Set(rows.map(row => row.run_id))].length,\n };\n writeJSON(OUTPUT_SUMMARY, summary);\n}\n\nmain();\n" + script: "const fs = require(\"fs\");\nconst path = require(\"path\");\nconst { execFileSync } = require(\"child_process\");\nconst {\n evaluateItem,\n normalizeOutcome,\n readJSONL,\n} = require(path.join(process.env.GITHUB_WORKSPACE || process.cwd(), \"actions/setup/js/evaluate_outcomes.cjs\"));\n\nconst DATA_DIR = \"/tmp/gh-aw/agent/objective-impact-report\";\nconst RUNS_DIR = path.join(DATA_DIR, \"safe-output-runs\");\nconst OUTPUT_JSONL = path.join(DATA_DIR, \"safe-output-issue-evaluations.jsonl\");\nconst OUTPUT_SUMMARY = path.join(DATA_DIR, \"safe-output-issue-summary.json\");\n\nfunction readJSON(filePath, fallback) {\n try {\n return JSON.parse(fs.readFileSync(filePath, \"utf8\"));\n } catch {\n return fallback;\n }\n}\n\nfunction writeFileAtomic(filePath, content) {\n const baseName = path.basename(filePath);\n const parentDir = path.dirname(filePath);\n const tmpDir = fs.mkdtempSync(path.join(parentDir, `.${baseName}.tmp-`));\n const tmpFile = path.join(tmpDir, baseName);\n try {\n try {\n fs.writeFileSync(tmpFile, content);\n } catch (err) {\n throw new Error(`failed to write temp file ${tmpFile}`, { cause: err });\n }\n try {\n fs.renameSync(tmpFile, filePath);\n } catch (err) {\n throw new Error(`failed to rename temp file ${tmpFile} to ${filePath}`, { cause: err });\n }\n } finally {\n fs.rmSync(tmpDir, { recursive: true, force: true });\n }\n}\n\nfunction writeJSON(filePath, value) {\n writeFileAtomic(filePath, JSON.stringify(value, null, 2) + \"\\n\");\n}\n\nfunction gh(args) {\n try {\n return execFileSync(\"gh\", args, { encoding: \"utf8\", stdio: [\"pipe\", \"pipe\", \"pipe\"] }).trim();\n } catch {\n return null;\n }\n}\n\nfunction ensureIssueURL(item, repo) {\n if (item.url || typeof item.number !== \"number\" || !repo) {\n return item;\n }\n return {\n ...item,\n url: `https://github.com/${repo}/issues/${item.number}`,\n };\n}\n\nfunction loadRuns() {\n const workflowLogs = readJSON(path.join(DATA_DIR, \"workflow-logs.json\"), {});\n const runs = Array.isArray(workflowLogs.runs) ? workflowLogs.runs : [];\n return runs\n .map(run => ({\n id: Number(run.id ?? run.databaseId ?? 0),\n workflow_name: run.workflow_name || run.workflowName || \"\",\n aic: run.aic ?? null,\n created_at: run.created_at || run.createdAt || \"\",\n status: run.status || \"\",\n conclusion: run.conclusion || \"\",\n url: run.html_url || run.url || \"\",\n }))\n .filter(run => Number.isInteger(run.id) && run.id > 0);\n}\n\nfunction loadManifest(runDir) {\n const manifestPath = path.join(runDir, \"safe-output-items.jsonl\");\n if (!fs.existsSync(manifestPath)) return [];\n return readJSONL(manifestPath);\n}\n\nfunction downloadManifest(repo, runId, runDir) {\n fs.mkdirSync(runDir, { recursive: true });\n const manifestPath = path.join(runDir, \"safe-output-items.jsonl\");\n if (fs.existsSync(manifestPath) && fs.statSync(manifestPath).size > 0) {\n return true;\n }\n const result = gh([\"run\", \"download\", String(runId), \"--repo\", repo, \"--name\", \"safe-outputs-items\", \"--dir\", runDir]);\n return result !== null && fs.existsSync(manifestPath) && fs.statSync(manifestPath).size > 0;\n}\n\nfunction main() {\n const repo = process.env.EXPR_GITHUB_REPOSITORY || process.env.GITHUB_REPOSITORY || \"\";\n if (!repo) {\n console.error(\"EXPR_GITHUB_REPOSITORY or GITHUB_REPOSITORY is required\");\n process.exit(1);\n }\n\n fs.mkdirSync(DATA_DIR, { recursive: true });\n fs.mkdirSync(RUNS_DIR, { recursive: true });\n\n const runs = loadRuns();\n const rows = [];\n\n for (const run of runs) {\n const runDir = path.join(RUNS_DIR, `run-${run.id}`);\n if (!downloadManifest(repo, run.id, runDir)) {\n continue;\n }\n\n const items = loadManifest(runDir)\n .filter(item => item && (item.type === \"create_issue\" || item.type === \"close_issue\"))\n .map(item => ensureIssueURL(item, item.repo || repo));\n\n for (const item of items) {\n const evalResult = evaluateItem(item, repo);\n const normalized = normalizeOutcome(evalResult.result, evalResult.detail);\n rows.push({\n run_id: run.id,\n workflow_name: run.workflow_name,\n workflow_aic: run.aic,\n workflow_run_created_at: run.created_at,\n workflow_run_url: run.url,\n type: item.type,\n repo: item.repo || repo,\n number: typeof item.number === \"number\" ? item.number : null,\n url: item.url || \"\",\n timestamp: item.timestamp || \"\",\n result: evalResult.result,\n detail: evalResult.detail,\n outcome_status: normalized.outcome_status,\n evidence_strength: normalized.evidence_strength,\n signal: normalized.signal,\n resolution_sec: evalResult.resolution_sec,\n pending_age_sec: evalResult.pending_age_sec,\n comments: evalResult.comments,\n reactions_total: evalResult.reactions_total,\n reactions_positive: evalResult.reactions_positive,\n reactions_negative: evalResult.reactions_negative,\n zero_touch: evalResult.zero_touch,\n });\n }\n }\n\n writeFileAtomic(OUTPUT_JSONL, rows.map(row => JSON.stringify(row)).join(\"\\n\") + (rows.length > 0 ? \"\\n\" : \"\"));\n\n const summary = {\n total_issue_outcomes: rows.length,\n create_issue_count: rows.filter(row => row.type === \"create_issue\").length,\n close_issue_count: rows.filter(row => row.type === \"close_issue\").length,\n accepted_count: rows.filter(row => row.outcome_status === \"accepted\").length,\n rejected_count: rows.filter(row => row.outcome_status === \"rejected\").length,\n pending_count: rows.filter(row => row.outcome_status === \"pending\").length,\n ignored_count: rows.filter(row => row.outcome_status === \"ignored\").length,\n unknown_count: rows.filter(row => row.outcome_status === \"unknown\").length,\n distinct_workflows: [...new Set(rows.map(row => row.workflow_name).filter(Boolean))].length,\n distinct_runs_with_issue_outcomes: [...new Set(rows.map(row => row.run_id))].length,\n };\n writeJSON(OUTPUT_SUMMARY, summary);\n}\n\nmain();" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/pr-description-caveman.lock.yml b/.github/workflows/pr-description-caveman.lock.yml index e3611bb4129..e63c783d20b 100644 --- a/.github/workflows/pr-description-caveman.lock.yml +++ b/.github/workflows/pr-description-caveman.lock.yml @@ -480,7 +480,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} name: Fetch and chunk PR diff - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent/chunks\n\nEXCLUSIONS=(\n ':!*.lock.yml' ':!*.lock' ':!*-lock.json' ':!yarn.lock'\n ':!go.sum' ':!go.mod'\n ':!*.generated.*' ':!generated/**' ':!vendor/**'\n ':!dist/**' ':!*.min.js' ':!*.min.css'\n)\n\n# Diff stat (always small — safe to capture in full)\ngit diff \"$BASE_SHA\"...\"$HEAD_SHA\" -- \"${EXCLUSIONS[@]}\" --stat \\\n > /tmp/gh-aw/agent/diff-stat.txt 2>&1 || true\n\n# Commit log\ngit log --oneline \"$BASE_SHA\"..\"$HEAD_SHA\" \\\n > /tmp/gh-aw/agent/commits.txt 2>&1 || true\n\n# Full diff split into 400-line chunks\n# split -l produces chunk_000, chunk_001, ...\ngit diff \"$BASE_SHA\"...\"$HEAD_SHA\" -- \"${EXCLUSIONS[@]}\" \\\n | split -l 400 - /tmp/gh-aw/agent/chunks/chunk_ 2>/dev/null || true\n\n# Record chunk manifest and count so the agent can process deterministically\nls /tmp/gh-aw/agent/chunks/ > /tmp/gh-aw/agent/chunk-manifest.txt\nwc -l < /tmp/gh-aw/agent/chunk-manifest.txt > /tmp/gh-aw/agent/chunk-count.txt\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent/chunks\n\nEXCLUSIONS=(\n ':!*.lock.yml' ':!*.lock' ':!*-lock.json' ':!yarn.lock'\n ':!go.sum' ':!go.mod'\n ':!*.generated.*' ':!generated/**' ':!vendor/**'\n ':!dist/**' ':!*.min.js' ':!*.min.css'\n)\n\n# Diff stat (always small — safe to capture in full)\ngit diff \"$BASE_SHA\"...\"$HEAD_SHA\" -- \"${EXCLUSIONS[@]}\" --stat \\\n > /tmp/gh-aw/agent/diff-stat.txt 2>&1 || true\n\n# Commit log\ngit log --oneline \"$BASE_SHA\"..\"$HEAD_SHA\" \\\n > /tmp/gh-aw/agent/commits.txt 2>&1 || true\n\n# Full diff split into 400-line chunks\n# split -l produces chunk_000, chunk_001, ...\ngit diff \"$BASE_SHA\"...\"$HEAD_SHA\" -- \"${EXCLUSIONS[@]}\" \\\n | split -l 400 - /tmp/gh-aw/agent/chunks/chunk_ 2>/dev/null || true\n\n# Record chunk manifest and count so the agent can process deterministically\nls /tmp/gh-aw/agent/chunks/ > /tmp/gh-aw/agent/chunk-manifest.txt\nwc -l < /tmp/gh-aw/agent/chunk-manifest.txt > /tmp/gh-aw/agent/chunk-count.txt" - name: Configure Git credentials env: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index a267142e5d6..3eab6c36254 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -569,7 +569,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download workflow logs for PR analysis - run: "# Create logs directory\nmkdir -p /tmp/gh-aw/agent/workflow-logs\n\necho \"Downloading workflow logs to extract turn counts...\"\n\n# Download logs for the last 30 days of copilot workflows\n# This will give us the aw_info.json which contains turn counts\n./gh-aw logs --engine copilot --start-date -30d -o /tmp/gh-aw/agent/workflow-logs\n\n# Verify logs were downloaded\necho \"Downloaded workflow logs:\"\nfind /tmp/gh-aw/agent/workflow-logs -maxdepth 1 -ls\n" + run: "# Create logs directory\nmkdir -p /tmp/gh-aw/agent/workflow-logs\n\necho \"Downloading workflow logs to extract turn counts...\"\n\n# Download logs for the last 30 days of copilot workflows\n# This will give us the aw_info.json which contains turn counts\n./gh-aw logs --engine copilot --start-date -30d -o /tmp/gh-aw/agent/workflow-logs\n\n# Verify logs were downloaded\necho \"Downloaded workflow logs:\"\nfind /tmp/gh-aw/agent/workflow-logs -maxdepth 1 -ls" # Cache configuration from frontmatter processed below - name: Save prompt clustering data to cache diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index d06c96072a6..cbe60cf6d1e 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -502,7 +502,7 @@ jobs: RELEASE_ID: ${{ needs.release.outputs.release_id }} RELEASE_TAG: ${{ needs.config.outputs.release_tag }} name: Setup release environment - run: "set -e\nmkdir -p /tmp/gh-aw/agent/release-data\nmkdir -p /tmp/gh-aw/agent/community-data\n# Copy community issues from the agent/community-data path (written by community-attribution import step)\ncp /tmp/gh-aw/agent/community-data/community_issues.json /tmp/gh-aw/agent/community-data/community_issues.json 2>/dev/null || echo \"[]\" > /tmp/gh-aw/agent/community-data/community_issues.json\n\n# Use the release ID and tag from the release job\necho \"Release ID from release job: $RELEASE_ID\"\necho \"Release tag from release job: $RELEASE_TAG\"\n\necho \"Processing release: $RELEASE_TAG\"\necho \"RELEASE_TAG=$RELEASE_TAG\" >> \"$GITHUB_ENV\"\n\n# Get the current release information\n# Use release ID to fetch release data\ngh api \"/repos/$GITHUB_REPOSITORY/releases/$RELEASE_ID\" > /tmp/gh-aw/agent/release-data/current_release.json\necho \"✓ Fetched current release information\"\n\n# Get the previous release to determine the range\nPREV_RELEASE_TAG=$(gh release list --limit 2 --json tagName --jq '.[1].tagName // empty')\n\nif [ -z \"$PREV_RELEASE_TAG\" ]; then\n echo \"No previous release found. This appears to be the first release.\"\n echo \"PREV_RELEASE_TAG=\" >> \"$GITHUB_ENV\"\n touch /tmp/gh-aw/agent/release-data/pull_requests.json\n echo \"[]\" > /tmp/gh-aw/agent/release-data/pull_requests.json\nelse\n echo \"Previous release: $PREV_RELEASE_TAG\"\n echo \"PREV_RELEASE_TAG=$PREV_RELEASE_TAG\" >> \"$GITHUB_ENV\"\n \n # Get commits between releases\n echo \"Fetching commits between $PREV_RELEASE_TAG and $RELEASE_TAG...\"\n git fetch --unshallow 2>/dev/null || git fetch --depth=1000\n \n # Get all merged PRs between the two releases (include closingIssuesReferences for attribution)\n echo \"Fetching pull requests merged between releases...\"\n PREV_PUBLISHED_AT=$(gh release view \"$PREV_RELEASE_TAG\" --json publishedAt --jq .publishedAt)\n CURR_PUBLISHED_AT=$(gh release view \"$RELEASE_TAG\" --json publishedAt --jq .publishedAt)\n gh pr list \\\n --state merged \\\n --limit 1000 \\\n --json number,title,author,labels,mergedAt,url,body,closingIssuesReferences \\\n --jq \"[.[] | select(.mergedAt >= \\\"$PREV_PUBLISHED_AT\\\" and .mergedAt <= \\\"$CURR_PUBLISHED_AT\\\")]\" \\\n > /tmp/gh-aw/agent/release-data/pull_requests.json\n \n PR_COUNT=$(jq length \"/tmp/gh-aw/agent/release-data/pull_requests.json\")\n echo \"✓ Fetched $PR_COUNT pull requests\"\nfi\n\n# Build closing references index from GitHub-native closingIssuesReferences\n# Maps each closed issue number -> list of PR numbers that directly close it\necho \"Building closing references index from GitHub-native PR links...\"\n# Use a nested reduce so the outer body always returns the accumulator,\n# even when closingIssuesReferences is empty (avoids jq setting acc to null).\njq '\n reduce .[] as $pr (\n {};\n reduce ($pr.closingIssuesReferences // [])[] as $issue (\n .;\n ($issue.number | tostring) as $key |\n .[$key] = (.[$key] // []) + [$pr.number]\n )\n )\n' /tmp/gh-aw/agent/release-data/pull_requests.json \\\n > /tmp/gh-aw/agent/release-data/closing_refs_by_issue.json 2>/dev/null \\\n || echo \"{}\" > /tmp/gh-aw/agent/release-data/closing_refs_by_issue.json\n# Also expose to community-data dir so shared attribution strategy can reference it\ncp /tmp/gh-aw/agent/release-data/closing_refs_by_issue.json /tmp/gh-aw/agent/community-data/closing_refs_by_issue.json\ncp /tmp/gh-aw/agent/release-data/pull_requests.json /tmp/gh-aw/agent/community-data/pull_requests.json\n\nDIRECT_CLOSE_COUNT=$(jq 'keys | length' /tmp/gh-aw/agent/release-data/closing_refs_by_issue.json)\necho \"✓ Found $DIRECT_CLOSE_COUNT issues with GitHub-native closing PR references\"\n\n# Find community issues closed during this release window (candidates for attribution review)\nif [ -n \"$PREV_PUBLISHED_AT\" ]; then\n jq --arg prev \"$PREV_PUBLISHED_AT\" --arg curr \"$CURR_PUBLISHED_AT\" \\\n '[.[] | select(.closedAt != null and .closedAt >= $prev and .closedAt <= $curr)]' \\\n /tmp/gh-aw/agent/community-data/community_issues.json \\\n > /tmp/gh-aw/agent/release-data/community_issues_closed_in_window.json 2>/dev/null \\\n || echo \"[]\" > /tmp/gh-aw/agent/release-data/community_issues_closed_in_window.json\n \n CLOSED_IN_WINDOW=$(jq length /tmp/gh-aw/agent/release-data/community_issues_closed_in_window.json)\n echo \"✓ Found $CLOSED_IN_WINDOW community issues closed in this release window\"\nelse\n echo \"[]\" > /tmp/gh-aw/agent/release-data/community_issues_closed_in_window.json\nfi\n\n# Get the CHANGELOG.md content around this version\nif [ -f \"CHANGELOG.md\" ]; then\n cp CHANGELOG.md /tmp/gh-aw/agent/release-data/CHANGELOG.md\n echo \"✓ Copied CHANGELOG.md for reference\"\nfi\n\n# List documentation files for linking\nfind docs -type f -name \"*.md\" 2>/dev/null > /tmp/gh-aw/agent/release-data/docs_files.txt || echo \"No docs directory found\"\n\necho \"✓ Setup complete.\"\necho \" Release data: /tmp/gh-aw/agent/release-data/ (current_release.json, pull_requests.json,\"\necho \" closing_refs_by_issue.json, community_issues_closed_in_window.json,\"\necho \" CHANGELOG.md (if exists), docs_files.txt)\"\necho \" Community data: /tmp/gh-aw/agent/community-data/ (community_issues.json,\"\necho \" closing_refs_by_issue.json, pull_requests.json)\"\n" + run: "set -e\nmkdir -p /tmp/gh-aw/agent/release-data\nmkdir -p /tmp/gh-aw/agent/community-data\n# Copy community issues from the agent/community-data path (written by community-attribution import step)\ncp /tmp/gh-aw/agent/community-data/community_issues.json /tmp/gh-aw/agent/community-data/community_issues.json 2>/dev/null || echo \"[]\" > /tmp/gh-aw/agent/community-data/community_issues.json\n\n# Use the release ID and tag from the release job\necho \"Release ID from release job: $RELEASE_ID\"\necho \"Release tag from release job: $RELEASE_TAG\"\n\necho \"Processing release: $RELEASE_TAG\"\necho \"RELEASE_TAG=$RELEASE_TAG\" >> \"$GITHUB_ENV\"\n\n# Get the current release information\n# Use release ID to fetch release data\ngh api \"/repos/$GITHUB_REPOSITORY/releases/$RELEASE_ID\" > /tmp/gh-aw/agent/release-data/current_release.json\necho \"✓ Fetched current release information\"\n\n# Get the previous release to determine the range\nPREV_RELEASE_TAG=$(gh release list --limit 2 --json tagName --jq '.[1].tagName // empty')\n\nif [ -z \"$PREV_RELEASE_TAG\" ]; then\n echo \"No previous release found. This appears to be the first release.\"\n echo \"PREV_RELEASE_TAG=\" >> \"$GITHUB_ENV\"\n touch /tmp/gh-aw/agent/release-data/pull_requests.json\n echo \"[]\" > /tmp/gh-aw/agent/release-data/pull_requests.json\nelse\n echo \"Previous release: $PREV_RELEASE_TAG\"\n echo \"PREV_RELEASE_TAG=$PREV_RELEASE_TAG\" >> \"$GITHUB_ENV\"\n \n # Get commits between releases\n echo \"Fetching commits between $PREV_RELEASE_TAG and $RELEASE_TAG...\"\n git fetch --unshallow 2>/dev/null || git fetch --depth=1000\n \n # Get all merged PRs between the two releases (include closingIssuesReferences for attribution)\n echo \"Fetching pull requests merged between releases...\"\n PREV_PUBLISHED_AT=$(gh release view \"$PREV_RELEASE_TAG\" --json publishedAt --jq .publishedAt)\n CURR_PUBLISHED_AT=$(gh release view \"$RELEASE_TAG\" --json publishedAt --jq .publishedAt)\n gh pr list \\\n --state merged \\\n --limit 1000 \\\n --json number,title,author,labels,mergedAt,url,body,closingIssuesReferences \\\n --jq \"[.[] | select(.mergedAt >= \\\"$PREV_PUBLISHED_AT\\\" and .mergedAt <= \\\"$CURR_PUBLISHED_AT\\\")]\" \\\n > /tmp/gh-aw/agent/release-data/pull_requests.json\n \n PR_COUNT=$(jq length \"/tmp/gh-aw/agent/release-data/pull_requests.json\")\n echo \"✓ Fetched $PR_COUNT pull requests\"\nfi\n\n# Build closing references index from GitHub-native closingIssuesReferences\n# Maps each closed issue number -> list of PR numbers that directly close it\necho \"Building closing references index from GitHub-native PR links...\"\n# Use a nested reduce so the outer body always returns the accumulator,\n# even when closingIssuesReferences is empty (avoids jq setting acc to null).\njq '\n reduce .[] as $pr (\n {};\n reduce ($pr.closingIssuesReferences // [])[] as $issue (\n .;\n ($issue.number | tostring) as $key |\n .[$key] = (.[$key] // []) + [$pr.number]\n )\n )\n' /tmp/gh-aw/agent/release-data/pull_requests.json \\\n > /tmp/gh-aw/agent/release-data/closing_refs_by_issue.json 2>/dev/null \\\n || echo \"{}\" > /tmp/gh-aw/agent/release-data/closing_refs_by_issue.json\n# Also expose to community-data dir so shared attribution strategy can reference it\ncp /tmp/gh-aw/agent/release-data/closing_refs_by_issue.json /tmp/gh-aw/agent/community-data/closing_refs_by_issue.json\ncp /tmp/gh-aw/agent/release-data/pull_requests.json /tmp/gh-aw/agent/community-data/pull_requests.json\n\nDIRECT_CLOSE_COUNT=$(jq 'keys | length' /tmp/gh-aw/agent/release-data/closing_refs_by_issue.json)\necho \"✓ Found $DIRECT_CLOSE_COUNT issues with GitHub-native closing PR references\"\n\n# Find community issues closed during this release window (candidates for attribution review)\nif [ -n \"$PREV_PUBLISHED_AT\" ]; then\n jq --arg prev \"$PREV_PUBLISHED_AT\" --arg curr \"$CURR_PUBLISHED_AT\" \\\n '[.[] | select(.closedAt != null and .closedAt >= $prev and .closedAt <= $curr)]' \\\n /tmp/gh-aw/agent/community-data/community_issues.json \\\n > /tmp/gh-aw/agent/release-data/community_issues_closed_in_window.json 2>/dev/null \\\n || echo \"[]\" > /tmp/gh-aw/agent/release-data/community_issues_closed_in_window.json\n \n CLOSED_IN_WINDOW=$(jq length /tmp/gh-aw/agent/release-data/community_issues_closed_in_window.json)\n echo \"✓ Found $CLOSED_IN_WINDOW community issues closed in this release window\"\nelse\n echo \"[]\" > /tmp/gh-aw/agent/release-data/community_issues_closed_in_window.json\nfi\n\n# Get the CHANGELOG.md content around this version\nif [ -f \"CHANGELOG.md\" ]; then\n cp CHANGELOG.md /tmp/gh-aw/agent/release-data/CHANGELOG.md\n echo \"✓ Copied CHANGELOG.md for reference\"\nfi\n\n# List documentation files for linking\nfind docs -type f -name \"*.md\" 2>/dev/null > /tmp/gh-aw/agent/release-data/docs_files.txt || echo \"No docs directory found\"\n\necho \"✓ Setup complete.\"\necho \" Release data: /tmp/gh-aw/agent/release-data/ (current_release.json, pull_requests.json,\"\necho \" closing_refs_by_issue.json, community_issues_closed_in_window.json,\"\necho \" CHANGELOG.md (if exists), docs_files.txt)\"\necho \" Community data: /tmp/gh-aw/agent/community-data/ (community_issues.json,\"\necho \" closing_refs_by_issue.json, pull_requests.json)\"" - name: Configure Git credentials env: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 02b41ff9441..f100c388288 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -493,7 +493,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Collect quality metrics - run: "mkdir -p /tmp/gh-aw/agent\n{\n echo \"## Focus Area History\"\n if [ -f /tmp/gh-aw/cache-memory-focus-areas/history.json ]; then\n cat /tmp/gh-aw/cache-memory-focus-areas/history.json\n else\n echo '{\"runs\":[],\"recent_areas\":[],\"statistics\":{\"total_runs\":0,\"custom_rate\":0,\"reuse_rate\":0,\"unique_areas_explored\":0}}'\n fi\n\n echo \"\"\n echo \"## Code Metrics\"\n echo \"### Largest Go source files (top 20)\"\n find . -type f -name \"*.go\" ! -name \"*_test.go\" ! -path \"./.git/*\" | xargs wc -l 2>/dev/null | sort -rn | head -21 | tail -20\n\n echo \"### Test ratio\"\n TEST_LOC=$(find . -type f -name \"*_test.go\" ! -path \"./.git/*\" | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}')\n SRC_LOC=$(find . -type f -name \"*.go\" ! -name \"*_test.go\" ! -path \"./.git/*\" | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}')\n echo \"Test LOC: $TEST_LOC | Source LOC: $SRC_LOC\"\n\n echo \"### Directory file counts\"\n for dir in cmd pkg docs .github; do\n if [ -d \"$dir\" ]; then\n echo \"$dir: $(find \"$dir\" -type f | wc -l) files\"\n fi\n done\n\n echo \"### TODO/FIXME count\"\n grep -r \"TODO\\|FIXME\" --include=\"*.go\" --include=\"*.cjs\" . 2>/dev/null | wc -l\n\n echo \"### README size\"\n wc -l README.md 2>/dev/null || echo \"No README.md\"\n} > /tmp/gh-aw/agent/analysis-context.md\necho \"✅ Quality metrics collected → /tmp/gh-aw/agent/analysis-context.md\"\n" + run: "mkdir -p /tmp/gh-aw/agent\n{\n echo \"## Focus Area History\"\n if [ -f /tmp/gh-aw/cache-memory-focus-areas/history.json ]; then\n cat /tmp/gh-aw/cache-memory-focus-areas/history.json\n else\n echo '{\"runs\":[],\"recent_areas\":[],\"statistics\":{\"total_runs\":0,\"custom_rate\":0,\"reuse_rate\":0,\"unique_areas_explored\":0}}'\n fi\n\n echo \"\"\n echo \"## Code Metrics\"\n echo \"### Largest Go source files (top 20)\"\n find . -type f -name \"*.go\" ! -name \"*_test.go\" ! -path \"./.git/*\" | xargs wc -l 2>/dev/null | sort -rn | head -21 | tail -20\n\n echo \"### Test ratio\"\n TEST_LOC=$(find . -type f -name \"*_test.go\" ! -path \"./.git/*\" | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}')\n SRC_LOC=$(find . -type f -name \"*.go\" ! -name \"*_test.go\" ! -path \"./.git/*\" | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}')\n echo \"Test LOC: $TEST_LOC | Source LOC: $SRC_LOC\"\n\n echo \"### Directory file counts\"\n for dir in cmd pkg docs .github; do\n if [ -d \"$dir\" ]; then\n echo \"$dir: $(find \"$dir\" -type f | wc -l) files\"\n fi\n done\n\n echo \"### TODO/FIXME count\"\n grep -r \"TODO\\|FIXME\" --include=\"*.go\" --include=\"*.cjs\" . 2>/dev/null | wc -l\n\n echo \"### README size\"\n wc -l README.md 2>/dev/null || echo \"No README.md\"\n} > /tmp/gh-aw/agent/analysis-context.md\necho \"✅ Quality metrics collected → /tmp/gh-aw/agent/analysis-context.md\"" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory (focus-areas) diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 6b5c2951ca7..30e66705b4f 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -569,7 +569,7 @@ jobs: GH_AW_SKILL_DIR: ".pi/skills" run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh" - name: Precompute schema analysis data - run: "set -e\nmkdir -p /tmp/gh-aw/agent\n\necho \"=== Extracting schema fields ===\"\n\n# 1. All top-level fields in the main JSON schema\nSCHEMA_FIELDS=$(jq -r '.properties | keys[]' pkg/parser/schemas/main_workflow_schema.json 2>/dev/null | sort -u || echo \"\")\n\n# 2. yaml-tagged struct fields in pkg/parser/*.go\nPARSER_YAML_FIELDS=$(grep -rh 'yaml:\"' pkg/parser/*.go 2>/dev/null \\\n | grep -o 'yaml:\"[^\"]*\"' \\\n | sed 's/yaml:\"//;s/\"//' \\\n | sed 's/,omitempty//' \\\n | sed 's/,.*$//' \\\n | grep -v '^-$' \\\n | grep -v '^$' \\\n | sort -u || echo \"\")\n\n# 3. yaml-tagged struct fields in pkg/workflow/*.go\nWORKFLOW_YAML_FIELDS=$(grep -rh 'yaml:\"' pkg/workflow/*.go 2>/dev/null \\\n | grep -o 'yaml:\"[^\"]*\"' \\\n | sed 's/yaml:\"//;s/\"//' \\\n | sed 's/,omitempty//' \\\n | sed 's/,.*$//' \\\n | grep -v '^-$' \\\n | grep -v '^$' \\\n | sort -u || echo \"\")\n\n# 4. Top-level frontmatter keys actually used in workflow .md files\nUSED_FIELDS=$(grep -rh '^[a-z][a-z0-9_-]*:' .github/workflows/*.md 2>/dev/null \\\n | sed 's/:.*//' \\\n | grep -v '^#' \\\n | sort -u || echo \"\")\n\n# 5. Schema field types for all top-level fields\nFIELD_TYPES=$(jq -r '.properties | to_entries[] |\n \"\\(.key): \\(.value.type // (.value.anyOf // .value.oneOf // [] | map(.type // \"complex\") | unique | join(\"|\")) // \"complex\")\"' \\\n pkg/parser/schemas/main_workflow_schema.json 2>/dev/null | sort || echo \"\")\n\n# 6. Fields in schema but absent as yaml tags in parser structs\nIN_SCHEMA_NOT_PARSER=$(comm -23 \\\n <(echo \"$SCHEMA_FIELDS\") \\\n <(echo \"$PARSER_YAML_FIELDS\" | sort -u) 2>/dev/null || echo \"\")\n\n# 7. yaml tags in parser structs absent from schema\nIN_PARSER_NOT_SCHEMA=$(comm -23 \\\n <(echo \"$PARSER_YAML_FIELDS\" | sort -u) \\\n <(echo \"$SCHEMA_FIELDS\") 2>/dev/null || echo \"\")\n\n# 8. Fields in schema but absent from workflow compiler structs\nIN_SCHEMA_NOT_WORKFLOW=$(comm -23 \\\n <(echo \"$SCHEMA_FIELDS\") \\\n <(echo \"$WORKFLOW_YAML_FIELDS\" | sort -u) 2>/dev/null || echo \"\")\n\n# 9. Fields used in actual workflow .md files but not in schema\nIN_USED_NOT_SCHEMA=$(comm -23 \\\n <(echo \"$USED_FIELDS\" | sort -u) \\\n <(echo \"$SCHEMA_FIELDS\") 2>/dev/null || echo \"\")\n\n# Write JSON output\njq -n \\\n --arg generated_at \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" \\\n --arg schema_fields \"$SCHEMA_FIELDS\" \\\n --arg parser_yaml_fields \"$PARSER_YAML_FIELDS\" \\\n --arg workflow_yaml_fields \"$WORKFLOW_YAML_FIELDS\" \\\n --arg used_in_workflows \"$USED_FIELDS\" \\\n --arg field_types \"$FIELD_TYPES\" \\\n --arg in_schema_not_parser \"$IN_SCHEMA_NOT_PARSER\" \\\n --arg in_parser_not_schema \"$IN_PARSER_NOT_SCHEMA\" \\\n --arg in_schema_not_workflow \"$IN_SCHEMA_NOT_WORKFLOW\" \\\n --arg in_used_not_schema \"$IN_USED_NOT_SCHEMA\" \\\n '{\n generated_at: $generated_at,\n schema_fields: ($schema_fields | split(\"\\n\") | map(select(. != \"\"))),\n parser_yaml_fields: ($parser_yaml_fields | split(\"\\n\") | map(select(. != \"\"))),\n workflow_yaml_fields: ($workflow_yaml_fields | split(\"\\n\") | map(select(. != \"\"))),\n used_in_workflows: ($used_in_workflows | split(\"\\n\") | map(select(. != \"\"))),\n field_types: ($field_types | split(\"\\n\") | map(select(. != \"\"))),\n field_gaps: {\n in_schema_not_parser: ($in_schema_not_parser | split(\"\\n\") | map(select(. != \"\"))),\n in_parser_not_schema: ($in_parser_not_schema | split(\"\\n\") | map(select(. != \"\"))),\n in_schema_not_workflow: ($in_schema_not_workflow | split(\"\\n\") | map(select(. != \"\"))),\n in_used_not_schema: ($in_used_not_schema | split(\"\\n\") | map(select(. != \"\")))\n }\n }' > /tmp/gh-aw/agent/schema-diff.json\n\necho \"✓ Schema diff written to /tmp/gh-aw/agent/schema-diff.json\"\necho \"Summary:\"\njq '{\n schema_field_count: (.schema_fields | length),\n parser_yaml_field_count: (.parser_yaml_fields | length),\n workflow_yaml_field_count: (.workflow_yaml_fields | length),\n gaps: {\n in_schema_not_parser: (.field_gaps.in_schema_not_parser | length),\n in_parser_not_schema: (.field_gaps.in_parser_not_schema | length),\n in_schema_not_workflow: (.field_gaps.in_schema_not_workflow | length),\n in_used_not_schema: (.field_gaps.in_used_not_schema | length)\n }\n}' /tmp/gh-aw/agent/schema-diff.json\n\necho \"=== AWF config source drift pre-check (gh-aw-firewall) ===\"\nAWF_SNAPSHOT_DIR=/tmp/gh-aw/cache-memory/awf-config-sources\nmkdir -p \"$AWF_SNAPSHOT_DIR\"\nAWF_CANONICAL_FETCH_DEGRADED=false\nAWF_USING_SNAPSHOT=false\nAWF_FETCH_FAILED_SOURCES=\"\"\n\nfetch_awf_source() {\n local source_path=\"$1\"\n local target_path=\"$2\"\n if ! gh api -H \"Accept: application/vnd.github.raw\" \"/repos/github/gh-aw-firewall/contents/${source_path}\" > \"$target_path\"; then\n AWF_CANONICAL_FETCH_DEGRADED=true\n AWF_FETCH_FAILED_SOURCES=\"${AWF_FETCH_FAILED_SOURCES}${source_path}\\n\"\n rm -f \"$target_path\"\n return 1\n fi\n}\n\nif [ -n \"${GH_TOKEN:-${GITHUB_TOKEN:-}}\" ]; then\n fetch_awf_source docs/awf-config.schema.json /tmp/gh-aw/agent/awf-config.schema.json || true\n fetch_awf_source src/awf-config-schema.json /tmp/gh-aw/agent/awf-config-runtime.schema.json || true\n fetch_awf_source docs/awf-config-spec.md /tmp/gh-aw/agent/awf-config-spec.md || true\nelse\n AWF_CANONICAL_FETCH_DEGRADED=true\n AWF_FETCH_FAILED_SOURCES=\"docs/awf-config.schema.json\\nsrc/awf-config-schema.json\\ndocs/awf-config-spec.md\\n\"\n echo \"⚠️ AWF canonical source fetch degraded: GH_TOKEN/GITHUB_TOKEN is not set\"\nfi\n\nfor source_path in docs/awf-config.schema.json src/awf-config-schema.json docs/awf-config-spec.md; do\n source_file=$(basename \"$source_path\")\n if [ \"$source_path\" = \"src/awf-config-schema.json\" ]; then\n target_path=/tmp/gh-aw/agent/awf-config-runtime.schema.json\n source_file=awf-config-runtime.schema.json\n else\n target_path=/tmp/gh-aw/agent/\"$source_file\"\n fi\n\n if [ ! -s \"$target_path\" ] && [ -s \"$AWF_SNAPSHOT_DIR/$source_file\" ]; then\n cp \"$AWF_SNAPSHOT_DIR/$source_file\" \"$target_path\"\n AWF_USING_SNAPSHOT=true\n echo \"⚠️ Using last-known AWF snapshot for $source_path\"\n fi\ndone\n\nif [ -s /tmp/gh-aw/agent/awf-config.schema.json ] && [ -s /tmp/gh-aw/agent/awf-config-runtime.schema.json ] && [ -s /tmp/gh-aw/agent/awf-config-spec.md ]; then\n cp /tmp/gh-aw/agent/awf-config.schema.json \"$AWF_SNAPSHOT_DIR/awf-config.schema.json\"\n cp /tmp/gh-aw/agent/awf-config-runtime.schema.json \"$AWF_SNAPSHOT_DIR/awf-config-runtime.schema.json\"\n cp /tmp/gh-aw/agent/awf-config-spec.md \"$AWF_SNAPSHOT_DIR/awf-config-spec.md\"\n\n jq -r '.properties | keys[]' /tmp/gh-aw/agent/awf-config.schema.json | sort -u \\\n > /tmp/gh-aw/agent/awf-config-top-level.txt\n jq -r '.properties | keys[]' /tmp/gh-aw/agent/awf-config-runtime.schema.json | sort -u \\\n > /tmp/gh-aw/agent/awf-config-runtime-top-level.txt\n rg --no-heading --no-filename 'apiProxy|container|sandbox|auth|network' pkg/workflow actions/setup \\\n | head -200 > /tmp/gh-aw/agent/awf-config-ghaw-refs.txt || true\n\n FAILED_SOURCES_JSON=$(printf \"%b\" \"$AWF_FETCH_FAILED_SOURCES\" | sed '/^$/d' | sort -u | jq -Rsc 'split(\"\\n\") | map(select(length > 0))')\n jq -n \\\n --arg generated_at \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" \\\n --arg spec_path \"docs/awf-config-spec.md\" \\\n --arg schema_path \"docs/awf-config.schema.json\" \\\n --arg runtime_schema_path \"src/awf-config-schema.json\" \\\n --arg top_level_count \"$(wc -l < /tmp/gh-aw/agent/awf-config-top-level.txt | tr -d ' ')\" \\\n --arg runtime_top_level_count \"$(wc -l < /tmp/gh-aw/agent/awf-config-runtime-top-level.txt | tr -d ' ')\" \\\n --arg refs_sample_count \"$(wc -l < /tmp/gh-aw/agent/awf-config-ghaw-refs.txt | tr -d ' ')\" \\\n --arg degraded \"$AWF_CANONICAL_FETCH_DEGRADED\" \\\n --arg using_snapshot \"$AWF_USING_SNAPSHOT\" \\\n --argjson failed_sources \"$FAILED_SOURCES_JSON\" \\\n '{\n generated_at: $generated_at,\n source_repo: \"github/gh-aw-firewall\",\n canonical_spec: $spec_path,\n canonical_schema: $schema_path,\n canonical_runtime_schema: $runtime_schema_path,\n top_level_property_count: ($top_level_count | tonumber),\n runtime_top_level_property_count: ($runtime_top_level_count | tonumber),\n ghaw_reference_sample_count: ($refs_sample_count | tonumber),\n degraded: ($degraded == \"true\"),\n using_snapshot: ($using_snapshot == \"true\"),\n failed_sources: $failed_sources\n }' > /tmp/gh-aw/agent/awf-config-drift.json\n if [ \"$AWF_CANONICAL_FETCH_DEGRADED\" = true ]; then\n echo \"⚠️ AWF canonical source fetch degraded; continuing in non-fatal mode\"\n else\n echo \"✓ AWF config source pre-check artifacts written under /tmp/gh-aw/agent/\"\n fi\nelse\n AWF_CANONICAL_FETCH_DEGRADED=true\n FAILED_SOURCES_JSON=$(printf \"%b\" \"$AWF_FETCH_FAILED_SOURCES\" | sed '/^$/d' | sort -u | jq -Rsc 'split(\"\\n\") | map(select(length > 0))')\n jq -n \\\n --arg generated_at \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" \\\n --argjson failed_sources \"$FAILED_SOURCES_JSON\" \\\n '{\n generated_at: $generated_at,\n source_repo: \"github/gh-aw-firewall\",\n degraded: true,\n warning: \"canonical source retrieval failed; skipping destructive AWF drift actions\",\n failed_sources: $failed_sources\n }' > /tmp/gh-aw/agent/awf-config-drift.json\n echo \"⚠️ AWF canonical source fetch failed; run marked degraded (non-fatal)\"\nfi\n" + run: "set -e\nmkdir -p /tmp/gh-aw/agent\n\necho \"=== Extracting schema fields ===\"\n\n# 1. All top-level fields in the main JSON schema\nSCHEMA_FIELDS=$(jq -r '.properties | keys[]' pkg/parser/schemas/main_workflow_schema.json 2>/dev/null | sort -u || echo \"\")\n\n# 2. yaml-tagged struct fields in pkg/parser/*.go\nPARSER_YAML_FIELDS=$(grep -rh 'yaml:\"' pkg/parser/*.go 2>/dev/null \\\n | grep -o 'yaml:\"[^\"]*\"' \\\n | sed 's/yaml:\"//;s/\"//' \\\n | sed 's/,omitempty//' \\\n | sed 's/,.*$//' \\\n | grep -v '^-$' \\\n | grep -v '^$' \\\n | sort -u || echo \"\")\n\n# 3. yaml-tagged struct fields in pkg/workflow/*.go\nWORKFLOW_YAML_FIELDS=$(grep -rh 'yaml:\"' pkg/workflow/*.go 2>/dev/null \\\n | grep -o 'yaml:\"[^\"]*\"' \\\n | sed 's/yaml:\"//;s/\"//' \\\n | sed 's/,omitempty//' \\\n | sed 's/,.*$//' \\\n | grep -v '^-$' \\\n | grep -v '^$' \\\n | sort -u || echo \"\")\n\n# 4. Top-level frontmatter keys actually used in workflow .md files\nUSED_FIELDS=$(grep -rh '^[a-z][a-z0-9_-]*:' .github/workflows/*.md 2>/dev/null \\\n | sed 's/:.*//' \\\n | grep -v '^#' \\\n | sort -u || echo \"\")\n\n# 5. Schema field types for all top-level fields\nFIELD_TYPES=$(jq -r '.properties | to_entries[] |\n \"\\(.key): \\(.value.type // (.value.anyOf // .value.oneOf // [] | map(.type // \"complex\") | unique | join(\"|\")) // \"complex\")\"' \\\n pkg/parser/schemas/main_workflow_schema.json 2>/dev/null | sort || echo \"\")\n\n# 6. Fields in schema but absent as yaml tags in parser structs\nIN_SCHEMA_NOT_PARSER=$(comm -23 \\\n <(echo \"$SCHEMA_FIELDS\") \\\n <(echo \"$PARSER_YAML_FIELDS\" | sort -u) 2>/dev/null || echo \"\")\n\n# 7. yaml tags in parser structs absent from schema\nIN_PARSER_NOT_SCHEMA=$(comm -23 \\\n <(echo \"$PARSER_YAML_FIELDS\" | sort -u) \\\n <(echo \"$SCHEMA_FIELDS\") 2>/dev/null || echo \"\")\n\n# 8. Fields in schema but absent from workflow compiler structs\nIN_SCHEMA_NOT_WORKFLOW=$(comm -23 \\\n <(echo \"$SCHEMA_FIELDS\") \\\n <(echo \"$WORKFLOW_YAML_FIELDS\" | sort -u) 2>/dev/null || echo \"\")\n\n# 9. Fields used in actual workflow .md files but not in schema\nIN_USED_NOT_SCHEMA=$(comm -23 \\\n <(echo \"$USED_FIELDS\" | sort -u) \\\n <(echo \"$SCHEMA_FIELDS\") 2>/dev/null || echo \"\")\n\n# Write JSON output\njq -n \\\n --arg generated_at \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" \\\n --arg schema_fields \"$SCHEMA_FIELDS\" \\\n --arg parser_yaml_fields \"$PARSER_YAML_FIELDS\" \\\n --arg workflow_yaml_fields \"$WORKFLOW_YAML_FIELDS\" \\\n --arg used_in_workflows \"$USED_FIELDS\" \\\n --arg field_types \"$FIELD_TYPES\" \\\n --arg in_schema_not_parser \"$IN_SCHEMA_NOT_PARSER\" \\\n --arg in_parser_not_schema \"$IN_PARSER_NOT_SCHEMA\" \\\n --arg in_schema_not_workflow \"$IN_SCHEMA_NOT_WORKFLOW\" \\\n --arg in_used_not_schema \"$IN_USED_NOT_SCHEMA\" \\\n '{\n generated_at: $generated_at,\n schema_fields: ($schema_fields | split(\"\\n\") | map(select(. != \"\"))),\n parser_yaml_fields: ($parser_yaml_fields | split(\"\\n\") | map(select(. != \"\"))),\n workflow_yaml_fields: ($workflow_yaml_fields | split(\"\\n\") | map(select(. != \"\"))),\n used_in_workflows: ($used_in_workflows | split(\"\\n\") | map(select(. != \"\"))),\n field_types: ($field_types | split(\"\\n\") | map(select(. != \"\"))),\n field_gaps: {\n in_schema_not_parser: ($in_schema_not_parser | split(\"\\n\") | map(select(. != \"\"))),\n in_parser_not_schema: ($in_parser_not_schema | split(\"\\n\") | map(select(. != \"\"))),\n in_schema_not_workflow: ($in_schema_not_workflow | split(\"\\n\") | map(select(. != \"\"))),\n in_used_not_schema: ($in_used_not_schema | split(\"\\n\") | map(select(. != \"\")))\n }\n }' > /tmp/gh-aw/agent/schema-diff.json\n\necho \"✓ Schema diff written to /tmp/gh-aw/agent/schema-diff.json\"\necho \"Summary:\"\njq '{\n schema_field_count: (.schema_fields | length),\n parser_yaml_field_count: (.parser_yaml_fields | length),\n workflow_yaml_field_count: (.workflow_yaml_fields | length),\n gaps: {\n in_schema_not_parser: (.field_gaps.in_schema_not_parser | length),\n in_parser_not_schema: (.field_gaps.in_parser_not_schema | length),\n in_schema_not_workflow: (.field_gaps.in_schema_not_workflow | length),\n in_used_not_schema: (.field_gaps.in_used_not_schema | length)\n }\n}' /tmp/gh-aw/agent/schema-diff.json\n\necho \"=== AWF config source drift pre-check (gh-aw-firewall) ===\"\nAWF_SNAPSHOT_DIR=/tmp/gh-aw/cache-memory/awf-config-sources\nmkdir -p \"$AWF_SNAPSHOT_DIR\"\nAWF_CANONICAL_FETCH_DEGRADED=false\nAWF_USING_SNAPSHOT=false\nAWF_FETCH_FAILED_SOURCES=\"\"\n\nfetch_awf_source() {\n local source_path=\"$1\"\n local target_path=\"$2\"\n if ! gh api -H \"Accept: application/vnd.github.raw\" \"/repos/github/gh-aw-firewall/contents/${source_path}\" > \"$target_path\"; then\n AWF_CANONICAL_FETCH_DEGRADED=true\n AWF_FETCH_FAILED_SOURCES=\"${AWF_FETCH_FAILED_SOURCES}${source_path}\\n\"\n rm -f \"$target_path\"\n return 1\n fi\n}\n\nif [ -n \"${GH_TOKEN:-${GITHUB_TOKEN:-}}\" ]; then\n fetch_awf_source docs/awf-config.schema.json /tmp/gh-aw/agent/awf-config.schema.json || true\n fetch_awf_source src/awf-config-schema.json /tmp/gh-aw/agent/awf-config-runtime.schema.json || true\n fetch_awf_source docs/awf-config-spec.md /tmp/gh-aw/agent/awf-config-spec.md || true\nelse\n AWF_CANONICAL_FETCH_DEGRADED=true\n AWF_FETCH_FAILED_SOURCES=\"docs/awf-config.schema.json\\nsrc/awf-config-schema.json\\ndocs/awf-config-spec.md\\n\"\n echo \"⚠️ AWF canonical source fetch degraded: GH_TOKEN/GITHUB_TOKEN is not set\"\nfi\n\nfor source_path in docs/awf-config.schema.json src/awf-config-schema.json docs/awf-config-spec.md; do\n source_file=$(basename \"$source_path\")\n if [ \"$source_path\" = \"src/awf-config-schema.json\" ]; then\n target_path=/tmp/gh-aw/agent/awf-config-runtime.schema.json\n source_file=awf-config-runtime.schema.json\n else\n target_path=/tmp/gh-aw/agent/\"$source_file\"\n fi\n\n if [ ! -s \"$target_path\" ] && [ -s \"$AWF_SNAPSHOT_DIR/$source_file\" ]; then\n cp \"$AWF_SNAPSHOT_DIR/$source_file\" \"$target_path\"\n AWF_USING_SNAPSHOT=true\n echo \"⚠️ Using last-known AWF snapshot for $source_path\"\n fi\ndone\n\nif [ -s /tmp/gh-aw/agent/awf-config.schema.json ] && [ -s /tmp/gh-aw/agent/awf-config-runtime.schema.json ] && [ -s /tmp/gh-aw/agent/awf-config-spec.md ]; then\n cp /tmp/gh-aw/agent/awf-config.schema.json \"$AWF_SNAPSHOT_DIR/awf-config.schema.json\"\n cp /tmp/gh-aw/agent/awf-config-runtime.schema.json \"$AWF_SNAPSHOT_DIR/awf-config-runtime.schema.json\"\n cp /tmp/gh-aw/agent/awf-config-spec.md \"$AWF_SNAPSHOT_DIR/awf-config-spec.md\"\n\n jq -r '.properties | keys[]' /tmp/gh-aw/agent/awf-config.schema.json | sort -u \\\n > /tmp/gh-aw/agent/awf-config-top-level.txt\n jq -r '.properties | keys[]' /tmp/gh-aw/agent/awf-config-runtime.schema.json | sort -u \\\n > /tmp/gh-aw/agent/awf-config-runtime-top-level.txt\n rg --no-heading --no-filename 'apiProxy|container|sandbox|auth|network' pkg/workflow actions/setup \\\n | head -200 > /tmp/gh-aw/agent/awf-config-ghaw-refs.txt || true\n\n FAILED_SOURCES_JSON=$(printf \"%b\" \"$AWF_FETCH_FAILED_SOURCES\" | sed '/^$/d' | sort -u | jq -Rsc 'split(\"\\n\") | map(select(length > 0))')\n jq -n \\\n --arg generated_at \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" \\\n --arg spec_path \"docs/awf-config-spec.md\" \\\n --arg schema_path \"docs/awf-config.schema.json\" \\\n --arg runtime_schema_path \"src/awf-config-schema.json\" \\\n --arg top_level_count \"$(wc -l < /tmp/gh-aw/agent/awf-config-top-level.txt | tr -d ' ')\" \\\n --arg runtime_top_level_count \"$(wc -l < /tmp/gh-aw/agent/awf-config-runtime-top-level.txt | tr -d ' ')\" \\\n --arg refs_sample_count \"$(wc -l < /tmp/gh-aw/agent/awf-config-ghaw-refs.txt | tr -d ' ')\" \\\n --arg degraded \"$AWF_CANONICAL_FETCH_DEGRADED\" \\\n --arg using_snapshot \"$AWF_USING_SNAPSHOT\" \\\n --argjson failed_sources \"$FAILED_SOURCES_JSON\" \\\n '{\n generated_at: $generated_at,\n source_repo: \"github/gh-aw-firewall\",\n canonical_spec: $spec_path,\n canonical_schema: $schema_path,\n canonical_runtime_schema: $runtime_schema_path,\n top_level_property_count: ($top_level_count | tonumber),\n runtime_top_level_property_count: ($runtime_top_level_count | tonumber),\n ghaw_reference_sample_count: ($refs_sample_count | tonumber),\n degraded: ($degraded == \"true\"),\n using_snapshot: ($using_snapshot == \"true\"),\n failed_sources: $failed_sources\n }' > /tmp/gh-aw/agent/awf-config-drift.json\n if [ \"$AWF_CANONICAL_FETCH_DEGRADED\" = true ]; then\n echo \"⚠️ AWF canonical source fetch degraded; continuing in non-fatal mode\"\n else\n echo \"✓ AWF config source pre-check artifacts written under /tmp/gh-aw/agent/\"\n fi\nelse\n AWF_CANONICAL_FETCH_DEGRADED=true\n FAILED_SOURCES_JSON=$(printf \"%b\" \"$AWF_FETCH_FAILED_SOURCES\" | sed '/^$/d' | sort -u | jq -Rsc 'split(\"\\n\") | map(select(length > 0))')\n jq -n \\\n --arg generated_at \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" \\\n --argjson failed_sources \"$FAILED_SOURCES_JSON\" \\\n '{\n generated_at: $generated_at,\n source_repo: \"github/gh-aw-firewall\",\n degraded: true,\n warning: \"canonical source retrieval failed; skipping destructive AWF drift actions\",\n failed_sources: $failed_sources\n }' > /tmp/gh-aw/agent/awf-config-drift.json\n echo \"⚠️ AWF canonical source fetch failed; run marked degraded (non-fatal)\"\nfi" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/spec-extractor.lock.yml b/.github/workflows/spec-extractor.lock.yml index 433d4a21177..95b59a460c2 100644 --- a/.github/workflows/spec-extractor.lock.yml +++ b/.github/workflows/spec-extractor.lock.yml @@ -564,7 +564,7 @@ jobs: GH_AW_SKILL_DIR: ".github/skills" run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh" - name: Collect package analysis data - run: "set -e\nPACKAGES=(agentdrain cli console constants envutil fileutil gitutil logger parser repoutil semverutil sliceutil stringutil styles testutil timeutil tty types typeutil workflow)\nTOTAL=${#PACKAGES[@]}\nCACHE_DIR=/tmp/gh-aw/cache-memory/spec-extractor\nCONTEXT=/tmp/gh-aw/agent/pkg-context.md\n\n# Initialize or load rotation state\nmkdir -p \"$CACHE_DIR/extractions\"\nif [ -f \"$CACHE_DIR/rotation.json\" ]; then\n LAST_INDEX=$(python3 -c \"import json; d=json.load(open('$CACHE_DIR/rotation.json')); print(d.get('last_index', 0))\" 2>/dev/null || echo 0)\nelse\n printf '{\"last_index\":0,\"last_packages\":[],\"last_run\":\"\",\"total_packages\":%d}\\n' \"$TOTAL\" > \"$CACHE_DIR/rotation.json\"\n LAST_INDEX=0\nfi\n\n# Select next 4 packages using round-robin\nPKG0=\"${PACKAGES[$((LAST_INDEX % TOTAL))]}\"\nPKG1=\"${PACKAGES[$(((LAST_INDEX + 1) % TOTAL))]}\"\nPKG2=\"${PACKAGES[$(((LAST_INDEX + 2) % TOTAL))]}\"\nPKG3=\"${PACKAGES[$(((LAST_INDEX + 3) % TOTAL))]}\"\nNEXT_INDEX=$(((LAST_INDEX + 4) % TOTAL))\nSELECTED=(\"$PKG0\" \"$PKG1\" \"$PKG2\" \"$PKG3\")\n\necho \"Selected packages: ${SELECTED[*]} (last_index=$LAST_INDEX, next=$NEXT_INDEX)\"\n\n# Collect analysis data for each package into the context file\n{\n echo \"# Package Analysis Context\"\n echo \"\"\n echo \"**Run date**: $(date -u +%Y-%m-%d)\"\n echo \"**Rotation last_index (current)**: $LAST_INDEX\"\n echo \"**Selected packages**: ${SELECTED[*]}\"\n echo \"**Next last_index (save this after run)**: $NEXT_INDEX\"\n echo \"\"\n\n for PKG in \"${SELECTED[@]}\"; do\n echo \"---\"\n echo \"\"\n echo \"## Package: \\`$PKG\\`\"\n echo \"\"\n\n echo \"### Source Files\"\n echo '```'\n find \"pkg/$PKG\" -name '*.go' ! -name '*_test.go' -type f 2>/dev/null | sort || true\n echo '```'\n\n echo \"### Line Counts\"\n echo '```'\n wc -l pkg/\"$PKG\"/*.go 2>/dev/null || true\n echo '```'\n\n echo \"### Exported Functions\"\n echo '```'\n grep -rn \"^func [A-Z]\" \"pkg/$PKG\" --include='*.go' 2>/dev/null || true\n echo '```'\n\n echo \"### Exported Types\"\n echo '```'\n grep -rn \"^type [A-Z]\" \"pkg/$PKG\" --include='*.go' 2>/dev/null || true\n echo '```'\n\n echo \"### Exported Constants\"\n echo '```'\n grep -rn \"^const [A-Z]\" \"pkg/$PKG\" --include='*.go' 2>/dev/null || true\n echo '```'\n\n echo \"### Exported Variables\"\n echo '```'\n grep -rn \"^var [A-Z]\" \"pkg/$PKG\" --include='*.go' 2>/dev/null || true\n echo '```'\n\n echo \"### Package Doc Comments (first 30 lines per file)\"\n for f in pkg/\"$PKG\"/*.go; do\n [ -f \"$f\" ] || continue\n echo \"#### $f\"\n echo '```go'\n head -n 30 \"$f\" 2>/dev/null || true\n echo '```'\n done\n\n echo \"### Imports\"\n echo '```'\n find \"pkg/$PKG\" -name '*.go' ! -name '*_test.go' -type f | xargs grep -h \"import\" 2>/dev/null | sort -u || true\n echo '```'\n\n echo \"### Existing README.md\"\n echo '```markdown'\n cat \"pkg/$PKG/README.md\" 2>/dev/null || echo \"No existing README.md\"\n echo '```'\n\n echo \"### Recent Git History (30 days)\"\n echo '```'\n git log --oneline --since='30 days ago' -- \"pkg/$PKG\" 2>/dev/null || true\n echo '```'\n echo \"\"\n done\n} > \"$CONTEXT\"\necho \"Context file written to $CONTEXT ($(wc -l < \"$CONTEXT\") lines)\"\n" + run: "set -e\nPACKAGES=(agentdrain cli console constants envutil fileutil gitutil logger parser repoutil semverutil sliceutil stringutil styles testutil timeutil tty types typeutil workflow)\nTOTAL=${#PACKAGES[@]}\nCACHE_DIR=/tmp/gh-aw/cache-memory/spec-extractor\nCONTEXT=/tmp/gh-aw/agent/pkg-context.md\n\n# Initialize or load rotation state\nmkdir -p \"$CACHE_DIR/extractions\"\nif [ -f \"$CACHE_DIR/rotation.json\" ]; then\n LAST_INDEX=$(python3 -c \"import json; d=json.load(open('$CACHE_DIR/rotation.json')); print(d.get('last_index', 0))\" 2>/dev/null || echo 0)\nelse\n printf '{\"last_index\":0,\"last_packages\":[],\"last_run\":\"\",\"total_packages\":%d}\\n' \"$TOTAL\" > \"$CACHE_DIR/rotation.json\"\n LAST_INDEX=0\nfi\n\n# Select next 4 packages using round-robin\nPKG0=\"${PACKAGES[$((LAST_INDEX % TOTAL))]}\"\nPKG1=\"${PACKAGES[$(((LAST_INDEX + 1) % TOTAL))]}\"\nPKG2=\"${PACKAGES[$(((LAST_INDEX + 2) % TOTAL))]}\"\nPKG3=\"${PACKAGES[$(((LAST_INDEX + 3) % TOTAL))]}\"\nNEXT_INDEX=$(((LAST_INDEX + 4) % TOTAL))\nSELECTED=(\"$PKG0\" \"$PKG1\" \"$PKG2\" \"$PKG3\")\n\necho \"Selected packages: ${SELECTED[*]} (last_index=$LAST_INDEX, next=$NEXT_INDEX)\"\n\n# Collect analysis data for each package into the context file\n{\n echo \"# Package Analysis Context\"\n echo \"\"\n echo \"**Run date**: $(date -u +%Y-%m-%d)\"\n echo \"**Rotation last_index (current)**: $LAST_INDEX\"\n echo \"**Selected packages**: ${SELECTED[*]}\"\n echo \"**Next last_index (save this after run)**: $NEXT_INDEX\"\n echo \"\"\n\n for PKG in \"${SELECTED[@]}\"; do\n echo \"---\"\n echo \"\"\n echo \"## Package: \\`$PKG\\`\"\n echo \"\"\n\n echo \"### Source Files\"\n echo '```'\n find \"pkg/$PKG\" -name '*.go' ! -name '*_test.go' -type f 2>/dev/null | sort || true\n echo '```'\n\n echo \"### Line Counts\"\n echo '```'\n wc -l pkg/\"$PKG\"/*.go 2>/dev/null || true\n echo '```'\n\n echo \"### Exported Functions\"\n echo '```'\n grep -rn \"^func [A-Z]\" \"pkg/$PKG\" --include='*.go' 2>/dev/null || true\n echo '```'\n\n echo \"### Exported Types\"\n echo '```'\n grep -rn \"^type [A-Z]\" \"pkg/$PKG\" --include='*.go' 2>/dev/null || true\n echo '```'\n\n echo \"### Exported Constants\"\n echo '```'\n grep -rn \"^const [A-Z]\" \"pkg/$PKG\" --include='*.go' 2>/dev/null || true\n echo '```'\n\n echo \"### Exported Variables\"\n echo '```'\n grep -rn \"^var [A-Z]\" \"pkg/$PKG\" --include='*.go' 2>/dev/null || true\n echo '```'\n\n echo \"### Package Doc Comments (first 30 lines per file)\"\n for f in pkg/\"$PKG\"/*.go; do\n [ -f \"$f\" ] || continue\n echo \"#### $f\"\n echo '```go'\n head -n 30 \"$f\" 2>/dev/null || true\n echo '```'\n done\n\n echo \"### Imports\"\n echo '```'\n find \"pkg/$PKG\" -name '*.go' ! -name '*_test.go' -type f | xargs grep -h \"import\" 2>/dev/null | sort -u || true\n echo '```'\n\n echo \"### Existing README.md\"\n echo '```markdown'\n cat \"pkg/$PKG/README.md\" 2>/dev/null || echo \"No existing README.md\"\n echo '```'\n\n echo \"### Recent Git History (30 days)\"\n echo '```'\n git log --oneline --since='30 days ago' -- \"pkg/$PKG\" 2>/dev/null || true\n echo '```'\n echo \"\"\n done\n} > \"$CONTEXT\"\necho \"Context file written to $CONTEXT ($(wc -l < \"$CONTEXT\") lines)\"" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 3824e5ff292..3465903f59d 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -575,7 +575,7 @@ jobs: NODE_EXTRA_CA_CERTS: /tmp/gh-aw/proxy-logs/proxy-tls/ca.crt ORGANIZATION: ${{ env.ORGANIZATION }} - name: Save stale repos output - run: | + run: |- mkdir -p /tmp/gh-aw/agent/stale-repos-data echo "$INACTIVE_REPOS" > /tmp/gh-aw/agent/stale-repos-data/inactive-repos.json echo "Stale repositories data saved" diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index b3603ded51f..dc2512f46d8 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -541,7 +541,7 @@ jobs: - name: Verify static analysis tools run: "set -e\necho \"Verifying static analysis tools are available...\"\n\n# Verify zizmor\necho \"Testing zizmor...\"\ndocker run --rm ghcr.io/zizmorcore/zizmor:latest --version || echo \"Warning: zizmor version check failed\"\n\n# Verify poutine\necho \"Testing poutine...\"\ndocker run --rm ghcr.io/boostsecurityio/poutine:latest --version || echo \"Warning: poutine version check failed\"\n\n# Verify runner-guard\necho \"Testing runner-guard...\"\ndocker run --rm ghcr.io/vigilant-llc/runner-guard:latest --version || echo \"Warning: runner-guard version check failed\"\n\necho \"Static analysis tools verification complete\"\n" - name: Run compile with security tools - run: "set -e\necho \"Running gh aw compile with security tools to download Docker images...\"\n\n# Run compile with all security scanner flags to download Docker images\n# Store the output in a file for inspection\n\"$GITHUB_WORKSPACE/gh-aw\" compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/agent/compile-output.txt\n\necho \"Compile with security tools completed\"\necho \"Output saved to /tmp/gh-aw/agent/compile-output.txt\"\n" + run: "set -e\necho \"Running gh aw compile with security tools to download Docker images...\"\n\n# Run compile with all security scanner flags to download Docker images\n# Store the output in a file for inspection\n\"$GITHUB_WORKSPACE/gh-aw\" compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/agent/compile-output.txt\n\necho \"Compile with security tools completed\"\necho \"Output saved to /tmp/gh-aw/agent/compile-output.txt\"" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 4c88a31a24d..6c89ee64f04 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -480,7 +480,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Build step alignment manifest - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\nMANIFEST_JSONL=\"/tmp/gh-aw/agent/step-alignment-input.jsonl\"\nMANIFEST_JSON=\"/tmp/gh-aw/agent/step-alignment-input.json\"\n: > \"$MANIFEST_JSONL\"\n\nwhile IFS= read -r workflow_file; do\n yq -o=json \\\n '.jobs | to_entries[] | .value.steps[]? | {\"workflow_file\": \"'\"$workflow_file\"'\", \"step_name\": (.name // \"\"), \"action_uses\": (.uses // \"\")}' \\\n \"$workflow_file\" >> \"$MANIFEST_JSONL\"\ndone < <(find .github/workflows -name \"*.lock.yml\" -type f | sort)\n\njq -s '.' \"$MANIFEST_JSONL\" > \"$MANIFEST_JSON\"\nrm -f \"$MANIFEST_JSONL\"\n\necho \"Wrote $(jq 'length' \"$MANIFEST_JSON\") step records to $MANIFEST_JSON\"\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\nMANIFEST_JSONL=\"/tmp/gh-aw/agent/step-alignment-input.jsonl\"\nMANIFEST_JSON=\"/tmp/gh-aw/agent/step-alignment-input.json\"\n: > \"$MANIFEST_JSONL\"\n\nwhile IFS= read -r workflow_file; do\n yq -o=json \\\n '.jobs | to_entries[] | .value.steps[]? | {\"workflow_file\": \"'\"$workflow_file\"'\", \"step_name\": (.name // \"\"), \"action_uses\": (.uses // \"\")}' \\\n \"$workflow_file\" >> \"$MANIFEST_JSONL\"\ndone < <(find .github/workflows -name \"*.lock.yml\" -type f | sort)\n\njq -s '.' \"$MANIFEST_JSONL\" > \"$MANIFEST_JSON\"\nrm -f \"$MANIFEST_JSONL\"\n\necho \"Wrote $(jq 'length' \"$MANIFEST_JSON\") step records to $MANIFEST_JSON\"" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory diff --git a/.github/workflows/test-quality-sentinel.lock.yml b/.github/workflows/test-quality-sentinel.lock.yml index 0c6d1dd379d..aa3d110da05 100644 --- a/.github/workflows/test-quality-sentinel.lock.yml +++ b/.github/workflows/test-quality-sentinel.lock.yml @@ -574,7 +574,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.pull_request.number }} name: Pre-fetch PR data - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\n# PR metadata\ngh pr view \"$PR_NUMBER\" \\\n --json files,additions,deletions,baseRefName,headRefName \\\n > /tmp/gh-aw/agent/pr-meta.json\n\n# List of changed test files\ngh pr diff \"$PR_NUMBER\" \\\n --name-only | grep -E '(_test\\.go|\\.test\\.cjs|\\.test\\.js)$' \\\n > /tmp/gh-aw/agent/test-files.txt || true\n\n# Diff for test files only; capped at 40 KB to control cache token costs\nif [ -s /tmp/gh-aw/agent/test-files.txt ]; then\n # shellcheck disable=SC2046\n gh pr diff \"$PR_NUMBER\" \\\n -- $(tr '\\n' ' ' < /tmp/gh-aw/agent/test-files.txt) \\\n | head -c 40000 \\\n > /tmp/gh-aw/agent/test-diff.txt 2>/dev/null || true\nelse\n touch /tmp/gh-aw/agent/test-diff.txt\nfi\n\ngit diff \"$EXPR_GITHUB_EVENT_PULL_REQUEST_BASE_SHA...HEAD\" --numstat \\\n > /tmp/gh-aw/agent/diff-numstat.txt 2>/dev/null || true\n\n# Extract new/modified test function signatures from the diff\nif [ -s /tmp/gh-aw/agent/test-diff.txt ]; then\n grep -E \"^\\+func Test\" /tmp/gh-aw/agent/test-diff.txt \\\n > /tmp/gh-aw/agent/go-new-test-funcs.txt || true\n grep -E \"^\\+(it|test|describe)\\(\" /tmp/gh-aw/agent/test-diff.txt \\\n > /tmp/gh-aw/agent/js-new-test-funcs.txt || true\n # Check for new Go test files missing mandatory build tags\n git diff \"$EXPR_GITHUB_EVENT_PULL_REQUEST_BASE_SHA...HEAD\" \\\n --diff-filter=A --name-only 2>/dev/null \\\n | grep '_test\\.go$' | while read -r f; do\n if ! head -1 \"$f\" | grep -qE '^//go:build'; then\n echo \"MISSING BUILD TAG: $f\"\n fi\n done > /tmp/gh-aw/agent/missing-build-tags.txt || true\n # Go test structural stats (assertions, error checks, table-driven, forbidden mocks)\n awk '\n /^\\+func Test/ {\n if (test_name) print test_name, \"assertions=\" assertions, \"errors=\" errors, \"table_driven=\" table_driven, \"forbidden_mocks=\" forbidden_mocks\n match($0, /func (Test[^(]+)/, arr); test_name=arr[1]; assertions=0; errors=0; table_driven=0; forbidden_mocks=0\n }\n test_name && /^\\+.*(assert\\.|require\\.)/ { assertions++ }\n test_name && /^\\+.*t\\.(Error|Errorf|Fatal|Fatalf)\\(/ { assertions++; errors++ }\n test_name && /^\\+.*(assert\\.Error|require\\.Error|assert\\.NoError|require\\.NoError)/ { errors++ }\n test_name && /^\\+.*t\\.Run\\(/ { table_driven++ }\n test_name && /^\\+.*(gomock\\.|testify\\/mock|\\.EXPECT\\(\\)|\\.On\\(|\\.Return\\()/ { forbidden_mocks++ }\n test_name && /^\\+\\}$/ { print test_name, \"assertions=\" assertions, \"errors=\" errors, \"table_driven=\" table_driven, \"forbidden_mocks=\" forbidden_mocks; test_name=\"\" }\n END { if (test_name) print test_name, \"assertions=\" assertions, \"errors=\" errors, \"table_driven=\" table_driven, \"forbidden_mocks=\" forbidden_mocks }\n ' /tmp/gh-aw/agent/test-diff.txt > /tmp/gh-aw/agent/go-test-stats.txt || true\n # JS test structural stats (assertions, error matchers, vi.* mocks)\n awk '\n /^\\+(it|test)\\(/ {\n if (test_name) print test_name, \"assertions=\" assertions, \"errors=\" errors, \"mocks=\" mocks\n match($0, /(it|test)\\([\"\\047]([^\"\\047]+)/, arr); test_name=arr[2]; assertions=0; errors=0; mocks=0\n }\n test_name && /^\\+.*expect\\(/ { assertions++ }\n test_name && /^\\+.*(\\.toThrow|\\.rejects|\\.toThrowError)/ { errors++ }\n test_name && /^\\+.*(vi\\.mock|vi\\.spyOn|vi\\.fn)/ { mocks++ }\n test_name && /^\\+\\}\\)/ { print test_name, \"assertions=\" assertions, \"errors=\" errors, \"mocks=\" mocks; test_name=\"\" }\n END { if (test_name) print test_name, \"assertions=\" assertions, \"errors=\" errors, \"mocks=\" mocks }\n ' /tmp/gh-aw/agent/test-diff.txt > /tmp/gh-aw/agent/js-test-stats.txt || true\nelse\n touch /tmp/gh-aw/agent/go-new-test-funcs.txt \\\n /tmp/gh-aw/agent/js-new-test-funcs.txt \\\n /tmp/gh-aw/agent/missing-build-tags.txt \\\n /tmp/gh-aw/agent/go-test-stats.txt \\\n /tmp/gh-aw/agent/js-test-stats.txt\nfi\n\necho \"Pre-fetched $(grep -c . /tmp/gh-aw/agent/test-files.txt || echo 0) test files\"\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\n# PR metadata\ngh pr view \"$PR_NUMBER\" \\\n --json files,additions,deletions,baseRefName,headRefName \\\n > /tmp/gh-aw/agent/pr-meta.json\n\n# List of changed test files\ngh pr diff \"$PR_NUMBER\" \\\n --name-only | grep -E '(_test\\.go|\\.test\\.cjs|\\.test\\.js)$' \\\n > /tmp/gh-aw/agent/test-files.txt || true\n\n# Diff for test files only; capped at 40 KB to control cache token costs\nif [ -s /tmp/gh-aw/agent/test-files.txt ]; then\n # shellcheck disable=SC2046\n gh pr diff \"$PR_NUMBER\" \\\n -- $(tr '\\n' ' ' < /tmp/gh-aw/agent/test-files.txt) \\\n | head -c 40000 \\\n > /tmp/gh-aw/agent/test-diff.txt 2>/dev/null || true\nelse\n touch /tmp/gh-aw/agent/test-diff.txt\nfi\n\ngit diff \"$EXPR_GITHUB_EVENT_PULL_REQUEST_BASE_SHA...HEAD\" --numstat \\\n > /tmp/gh-aw/agent/diff-numstat.txt 2>/dev/null || true\n\n# Extract new/modified test function signatures from the diff\nif [ -s /tmp/gh-aw/agent/test-diff.txt ]; then\n grep -E \"^\\+func Test\" /tmp/gh-aw/agent/test-diff.txt \\\n > /tmp/gh-aw/agent/go-new-test-funcs.txt || true\n grep -E \"^\\+(it|test|describe)\\(\" /tmp/gh-aw/agent/test-diff.txt \\\n > /tmp/gh-aw/agent/js-new-test-funcs.txt || true\n # Check for new Go test files missing mandatory build tags\n git diff \"$EXPR_GITHUB_EVENT_PULL_REQUEST_BASE_SHA...HEAD\" \\\n --diff-filter=A --name-only 2>/dev/null \\\n | grep '_test\\.go$' | while read -r f; do\n if ! head -1 \"$f\" | grep -qE '^//go:build'; then\n echo \"MISSING BUILD TAG: $f\"\n fi\n done > /tmp/gh-aw/agent/missing-build-tags.txt || true\n # Go test structural stats (assertions, error checks, table-driven, forbidden mocks)\n awk '\n /^\\+func Test/ {\n if (test_name) print test_name, \"assertions=\" assertions, \"errors=\" errors, \"table_driven=\" table_driven, \"forbidden_mocks=\" forbidden_mocks\n match($0, /func (Test[^(]+)/, arr); test_name=arr[1]; assertions=0; errors=0; table_driven=0; forbidden_mocks=0\n }\n test_name && /^\\+.*(assert\\.|require\\.)/ { assertions++ }\n test_name && /^\\+.*t\\.(Error|Errorf|Fatal|Fatalf)\\(/ { assertions++; errors++ }\n test_name && /^\\+.*(assert\\.Error|require\\.Error|assert\\.NoError|require\\.NoError)/ { errors++ }\n test_name && /^\\+.*t\\.Run\\(/ { table_driven++ }\n test_name && /^\\+.*(gomock\\.|testify\\/mock|\\.EXPECT\\(\\)|\\.On\\(|\\.Return\\()/ { forbidden_mocks++ }\n test_name && /^\\+\\}$/ { print test_name, \"assertions=\" assertions, \"errors=\" errors, \"table_driven=\" table_driven, \"forbidden_mocks=\" forbidden_mocks; test_name=\"\" }\n END { if (test_name) print test_name, \"assertions=\" assertions, \"errors=\" errors, \"table_driven=\" table_driven, \"forbidden_mocks=\" forbidden_mocks }\n ' /tmp/gh-aw/agent/test-diff.txt > /tmp/gh-aw/agent/go-test-stats.txt || true\n # JS test structural stats (assertions, error matchers, vi.* mocks)\n awk '\n /^\\+(it|test)\\(/ {\n if (test_name) print test_name, \"assertions=\" assertions, \"errors=\" errors, \"mocks=\" mocks\n match($0, /(it|test)\\([\"\\047]([^\"\\047]+)/, arr); test_name=arr[2]; assertions=0; errors=0; mocks=0\n }\n test_name && /^\\+.*expect\\(/ { assertions++ }\n test_name && /^\\+.*(\\.toThrow|\\.rejects|\\.toThrowError)/ { errors++ }\n test_name && /^\\+.*(vi\\.mock|vi\\.spyOn|vi\\.fn)/ { mocks++ }\n test_name && /^\\+\\}\\)/ { print test_name, \"assertions=\" assertions, \"errors=\" errors, \"mocks=\" mocks; test_name=\"\" }\n END { if (test_name) print test_name, \"assertions=\" assertions, \"errors=\" errors, \"mocks=\" mocks }\n ' /tmp/gh-aw/agent/test-diff.txt > /tmp/gh-aw/agent/js-test-stats.txt || true\nelse\n touch /tmp/gh-aw/agent/go-new-test-funcs.txt \\\n /tmp/gh-aw/agent/js-new-test-funcs.txt \\\n /tmp/gh-aw/agent/missing-build-tags.txt \\\n /tmp/gh-aw/agent/go-test-stats.txt \\\n /tmp/gh-aw/agent/js-test-stats.txt\nfi\n\necho \"Pre-fetched $(grep -c . /tmp/gh-aw/agent/test-files.txt || echo 0) test files\"" - name: Configure Git credentials env: diff --git a/.github/workflows/uk-ai-operational-resilience.lock.yml b/.github/workflows/uk-ai-operational-resilience.lock.yml index 83c3409c359..4b44a0f0085 100644 --- a/.github/workflows/uk-ai-operational-resilience.lock.yml +++ b/.github/workflows/uk-ai-operational-resilience.lock.yml @@ -544,7 +544,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} LOOKBACK_DAYS: ${{ github.event.inputs.lookback_days || '7' }} name: Pre-compute recent changes governance context - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\nREPO=\"${GITHUB_REPOSITORY}\"\nDAYS=\"${LOOKBACK_DAYS}\"\nif ! [[ \"$DAYS\" =~ ^[0-9]+$ ]]; then DAYS=7; fi\nif [ \"$DAYS\" -lt 1 ]; then DAYS=1; fi\nif [ \"$DAYS\" -gt 30 ]; then DAYS=30; fi\n\nSINCE=\"$(date -u -d \"-${DAYS} days\" +%Y-%m-%dT%H:%M:%SZ)\"\necho \"$SINCE\" >/tmp/gh-aw/agent/since.txt\n\ngh api --paginate \"repos/${REPO}/commits?since=${SINCE}&per_page=100\" | jq -s 'add // []' > /tmp/gh-aw/agent/recent-commits.json\ngh api --paginate \"repos/${REPO}/issues?state=open&labels=security&per_page=100\" | jq -s 'add // []' > /tmp/gh-aw/agent/open-security-issues.json\ngh api --paginate \"repos/${REPO}/code-scanning/alerts?state=open&per_page=100\" | jq -s 'add // []' > /tmp/gh-aw/agent/open-code-scanning-alerts.json || echo \"[]\" >/tmp/gh-aw/agent/open-code-scanning-alerts.json\ngh api --paginate \"repos/${REPO}/secret-scanning/alerts?state=open&per_page=100\" | jq -s 'add // []' > /tmp/gh-aw/agent/open-secret-scanning-alerts.json || echo \"[]\" >/tmp/gh-aw/agent/open-secret-scanning-alerts.json\n\njq -r '\n [.[].commit.message]\n | map(select(type==\"string\"))\n | map(\n if test(\"security|vuln|cve|patch|auth|secret|token|permissions|hardening\"; \"i\")\n then .\n else empty\n end\n )' /tmp/gh-aw/agent/recent-commits.json > /tmp/gh-aw/agent/security-signal-commits.json\n\n{\n echo \"## UK AI Governance Pre-compute\"\n echo \"- Repository: ${REPO}\"\n echo \"- Lookback days: ${DAYS}\"\n echo \"- Since: ${SINCE}\"\n echo \"- Commits in window: $(jq 'length' /tmp/gh-aw/agent/recent-commits.json)\"\n echo \"- Security-signal commits: $(jq 'length' /tmp/gh-aw/agent/security-signal-commits.json)\"\n echo \"- Open security issues: $(jq 'length' /tmp/gh-aw/agent/open-security-issues.json)\"\n echo \"- Open code scanning alerts: $(jq 'length' /tmp/gh-aw/agent/open-code-scanning-alerts.json)\"\n echo \"- Open secret scanning alerts: $(jq 'length' /tmp/gh-aw/agent/open-secret-scanning-alerts.json)\"\n} > /tmp/gh-aw/agent/uk-ai-governance-context.md\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n\nREPO=\"${GITHUB_REPOSITORY}\"\nDAYS=\"${LOOKBACK_DAYS}\"\nif ! [[ \"$DAYS\" =~ ^[0-9]+$ ]]; then DAYS=7; fi\nif [ \"$DAYS\" -lt 1 ]; then DAYS=1; fi\nif [ \"$DAYS\" -gt 30 ]; then DAYS=30; fi\n\nSINCE=\"$(date -u -d \"-${DAYS} days\" +%Y-%m-%dT%H:%M:%SZ)\"\necho \"$SINCE\" >/tmp/gh-aw/agent/since.txt\n\ngh api --paginate \"repos/${REPO}/commits?since=${SINCE}&per_page=100\" | jq -s 'add // []' > /tmp/gh-aw/agent/recent-commits.json\ngh api --paginate \"repos/${REPO}/issues?state=open&labels=security&per_page=100\" | jq -s 'add // []' > /tmp/gh-aw/agent/open-security-issues.json\ngh api --paginate \"repos/${REPO}/code-scanning/alerts?state=open&per_page=100\" | jq -s 'add // []' > /tmp/gh-aw/agent/open-code-scanning-alerts.json || echo \"[]\" >/tmp/gh-aw/agent/open-code-scanning-alerts.json\ngh api --paginate \"repos/${REPO}/secret-scanning/alerts?state=open&per_page=100\" | jq -s 'add // []' > /tmp/gh-aw/agent/open-secret-scanning-alerts.json || echo \"[]\" >/tmp/gh-aw/agent/open-secret-scanning-alerts.json\n\njq -r '\n [.[].commit.message]\n | map(select(type==\"string\"))\n | map(\n if test(\"security|vuln|cve|patch|auth|secret|token|permissions|hardening\"; \"i\")\n then .\n else empty\n end\n )' /tmp/gh-aw/agent/recent-commits.json > /tmp/gh-aw/agent/security-signal-commits.json\n\n{\n echo \"## UK AI Governance Pre-compute\"\n echo \"- Repository: ${REPO}\"\n echo \"- Lookback days: ${DAYS}\"\n echo \"- Since: ${SINCE}\"\n echo \"- Commits in window: $(jq 'length' /tmp/gh-aw/agent/recent-commits.json)\"\n echo \"- Security-signal commits: $(jq 'length' /tmp/gh-aw/agent/security-signal-commits.json)\"\n echo \"- Open security issues: $(jq 'length' /tmp/gh-aw/agent/open-security-issues.json)\"\n echo \"- Open code scanning alerts: $(jq 'length' /tmp/gh-aw/agent/open-code-scanning-alerts.json)\"\n echo \"- Open secret scanning alerts: $(jq 'length' /tmp/gh-aw/agent/open-secret-scanning-alerts.json)\"\n} > /tmp/gh-aw/agent/uk-ai-governance-context.md" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index de8aaf12c94..a533fc9776c 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -635,7 +635,7 @@ jobs: GH_AW_SKILL_DIR: ".pi/skills" run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh" - name: Pre-flight checks - run: "mkdir -p /tmp/gh-aw/agent\nmkdir -p /tmp/gh-aw/cache-memory\n\n# Write a heartbeat timestamp so the cache always has fresh content to save,\n# even on noop runs where the agent writes nothing to the cache directory.\necho \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" > /tmp/gh-aw/cache-memory/last-run.txt\n\n# Check 1: verify docs directory structure exists\nDIR_COUNT=$(find docs/src/content/docs -maxdepth 1 -type d 2>/dev/null | wc -l)\nif [ \"$DIR_COUNT\" -eq 0 ]; then\n echo '{\"pass\":false,\"reason\":\"Pre-flight failed: docs/src/content/docs directory not found — documentation structure is missing or repository is not set up correctly.\"}' \\\n > /tmp/gh-aw/agent/preflight.json\n exit 0\nfi\n\n# Check 2: count editable markdown files\nTOTAL=$(find docs/src/content/docs -path '*/blog*' -prune \\\n -o -name '*.md' -type f ! -name 'frontmatter-full.md' -print \\\n | xargs grep -rL 'disable-agentic-editing: true' 2>/dev/null \\\n | wc -l)\nif [ \"$TOTAL\" -eq 0 ]; then\n echo '{\"pass\":false,\"reason\":\"Pre-flight failed: no editable markdown files found in docs/src/content/docs (all files may be protected or excluded).\"}' \\\n > /tmp/gh-aw/agent/preflight.json\n exit 0\nfi\n\n# Check 3: count uncleaned candidates (not cleaned in the past 7 days)\nRECENT_CUTOFF=$(date -d '7 days ago' '+%Y-%m-%d' 2>/dev/null \\\n || date -v-7d '+%Y-%m-%d' 2>/dev/null \\\n || echo \"0000-00-00\")\n\n# Expiration check: if the most recent cleanup entry is older than 14 days the\n# cache has gone cold (e.g. GitHub Actions evicted the 7-day cache entry).\n# Reset cleaned-files.txt so every file is eligible again and stale \"already\n# cleaned\" claims are not silently reused.\nCACHE_FILE=\"/tmp/gh-aw/cache-memory/cleaned-files.txt\"\nSTALE_CUTOFF=$(date -d '14 days ago' '+%Y-%m-%d' 2>/dev/null \\\n || date -v-14d '+%Y-%m-%d' 2>/dev/null \\\n || echo \"0000-00-00\")\nLATEST_ENTRY=$(awk 'NF>0{print $1}' \"$CACHE_FILE\" 2>/dev/null | sort | tail -1)\nif [ -n \"$LATEST_ENTRY\" ] && [ \"$LATEST_ENTRY\" \\< \"$STALE_CUTOFF\" ]; then\n echo \"Cache expiration: most recent entry $LATEST_ENTRY predates $STALE_CUTOFF — resetting cleaned-files.txt\"\n > \"$CACHE_FILE\"\nfi\n\nCLEANED=$(awk -v cutoff=\"$RECENT_CUTOFF\" \\\n 'NF>0 && $1>=cutoff{count++} END{print count+0}' \\\n \"$CACHE_FILE\" 2>/dev/null || echo \"0\")\nUNCLEANED=$(( TOTAL - CLEANED ))\nif [ \"$UNCLEANED\" -le 0 ]; then\n echo '{\"pass\":false,\"reason\":\"Pre-flight check: all eligible documentation files were cleaned recently — nothing to do this run.\"}' \\\n > /tmp/gh-aw/agent/preflight.json\n exit 0\nfi\n\n# All checks passed — write candidate file list and preflight result\nfind docs/src/content/docs -path '*/blog*' -prune \\\n -o -name '*.md' -type f ! -name 'frontmatter-full.md' -print \\\n | xargs grep -rL 'disable-agentic-editing: true' 2>/dev/null \\\n > /tmp/gh-aw/agent/candidate-files.txt\nprintf '{\"pass\":true,\"reason\":\"All pre-flight checks passed. %d uncleaned candidates available.\",\"uncleaned\":%d,\"total\":%d}\\n' \\\n \"$UNCLEANED\" \"$UNCLEANED\" \"$TOTAL\" \\\n > /tmp/gh-aw/agent/preflight.json\n\necho \"Pre-flight passed: $UNCLEANED uncleaned candidates out of $TOTAL eligible files\"\necho \"Candidate files written to /tmp/gh-aw/agent/candidate-files.txt\"\n" + run: "mkdir -p /tmp/gh-aw/agent\nmkdir -p /tmp/gh-aw/cache-memory\n\n# Write a heartbeat timestamp so the cache always has fresh content to save,\n# even on noop runs where the agent writes nothing to the cache directory.\necho \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\" > /tmp/gh-aw/cache-memory/last-run.txt\n\n# Check 1: verify docs directory structure exists\nDIR_COUNT=$(find docs/src/content/docs -maxdepth 1 -type d 2>/dev/null | wc -l)\nif [ \"$DIR_COUNT\" -eq 0 ]; then\n echo '{\"pass\":false,\"reason\":\"Pre-flight failed: docs/src/content/docs directory not found — documentation structure is missing or repository is not set up correctly.\"}' \\\n > /tmp/gh-aw/agent/preflight.json\n exit 0\nfi\n\n# Check 2: count editable markdown files\nTOTAL=$(find docs/src/content/docs -path '*/blog*' -prune \\\n -o -name '*.md' -type f ! -name 'frontmatter-full.md' -print \\\n | xargs grep -rL 'disable-agentic-editing: true' 2>/dev/null \\\n | wc -l)\nif [ \"$TOTAL\" -eq 0 ]; then\n echo '{\"pass\":false,\"reason\":\"Pre-flight failed: no editable markdown files found in docs/src/content/docs (all files may be protected or excluded).\"}' \\\n > /tmp/gh-aw/agent/preflight.json\n exit 0\nfi\n\n# Check 3: count uncleaned candidates (not cleaned in the past 7 days)\nRECENT_CUTOFF=$(date -d '7 days ago' '+%Y-%m-%d' 2>/dev/null \\\n || date -v-7d '+%Y-%m-%d' 2>/dev/null \\\n || echo \"0000-00-00\")\n\n# Expiration check: if the most recent cleanup entry is older than 14 days the\n# cache has gone cold (e.g. GitHub Actions evicted the 7-day cache entry).\n# Reset cleaned-files.txt so every file is eligible again and stale \"already\n# cleaned\" claims are not silently reused.\nCACHE_FILE=\"/tmp/gh-aw/cache-memory/cleaned-files.txt\"\nSTALE_CUTOFF=$(date -d '14 days ago' '+%Y-%m-%d' 2>/dev/null \\\n || date -v-14d '+%Y-%m-%d' 2>/dev/null \\\n || echo \"0000-00-00\")\nLATEST_ENTRY=$(awk 'NF>0{print $1}' \"$CACHE_FILE\" 2>/dev/null | sort | tail -1)\nif [ -n \"$LATEST_ENTRY\" ] && [ \"$LATEST_ENTRY\" \\< \"$STALE_CUTOFF\" ]; then\n echo \"Cache expiration: most recent entry $LATEST_ENTRY predates $STALE_CUTOFF — resetting cleaned-files.txt\"\n > \"$CACHE_FILE\"\nfi\n\nCLEANED=$(awk -v cutoff=\"$RECENT_CUTOFF\" \\\n 'NF>0 && $1>=cutoff{count++} END{print count+0}' \\\n \"$CACHE_FILE\" 2>/dev/null || echo \"0\")\nUNCLEANED=$(( TOTAL - CLEANED ))\nif [ \"$UNCLEANED\" -le 0 ]; then\n echo '{\"pass\":false,\"reason\":\"Pre-flight check: all eligible documentation files were cleaned recently — nothing to do this run.\"}' \\\n > /tmp/gh-aw/agent/preflight.json\n exit 0\nfi\n\n# All checks passed — write candidate file list and preflight result\nfind docs/src/content/docs -path '*/blog*' -prune \\\n -o -name '*.md' -type f ! -name 'frontmatter-full.md' -print \\\n | xargs grep -rL 'disable-agentic-editing: true' 2>/dev/null \\\n > /tmp/gh-aw/agent/candidate-files.txt\nprintf '{\"pass\":true,\"reason\":\"All pre-flight checks passed. %d uncleaned candidates available.\",\"uncleaned\":%d,\"total\":%d}\\n' \\\n \"$UNCLEANED\" \"$UNCLEANED\" \"$TOTAL\" \\\n > /tmp/gh-aw/agent/preflight.json\n\necho \"Pre-flight passed: $UNCLEANED uncleaned candidates out of $TOTAL eligible files\"\necho \"Candidate files written to /tmp/gh-aw/agent/candidate-files.txt\"" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 896aead4e69..d992b9bd3de 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -583,7 +583,7 @@ jobs: bash "${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh" - name: Pre-fetch release and merged PR data if: ${{ needs.activation.outputs.prefetch_strategy == 'eager' }} - run: | + run: |- set -euo pipefail mkdir -p /tmp/gh-aw/agent diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 6c1a64a7b82..dfc54330fcf 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -490,7 +490,7 @@ jobs: - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Build Inventory - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n# Run compilation validation and capture output\ngh aw compile --validate > /tmp/gh-aw/agent/compile-validate.txt 2>&1 || true\n# List executable workflow files (exclude shared/ subdirectory)\nls .github/workflows/*.md 2>/dev/null > /tmp/gh-aw/agent/workflow-list.txt || true\necho \"Inventory complete: $(wc -l < /tmp/gh-aw/agent/workflow-list.txt | tr -d ' ') workflows found\"\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\n# Run compilation validation and capture output\ngh aw compile --validate > /tmp/gh-aw/agent/compile-validate.txt 2>&1 || true\n# List executable workflow files (exclude shared/ subdirectory)\nls .github/workflows/*.md 2>/dev/null > /tmp/gh-aw/agent/workflow-list.txt || true\necho \"Inventory complete: $(wc -l < /tmp/gh-aw/agent/workflow-list.txt | tr -d ' ') workflows found\"" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) @@ -559,7 +559,7 @@ jobs: GH_AW_SKILL_DIR: ".github/skills" run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh" - name: Load Metrics - run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\nMETRICS_FILE=\"/tmp/gh-aw/repo-memory/default/metrics/latest.json\"\nif [ -f \"$METRICS_FILE\" ]; then\n jq '[.workflow_runs | to_entries[]\n | select(.value.success_rate < 0.8)]\n | sort_by(.value.success_rate) | .[0:20]' \\\n \"$METRICS_FILE\" > /tmp/gh-aw/agent/failing-workflows.json 2>/dev/null \\\n || echo '[]' > /tmp/gh-aw/agent/failing-workflows.json\nelse\n echo '[]' > /tmp/gh-aw/agent/failing-workflows.json\nfi\necho \"Metrics loaded: $(jq 'length' /tmp/gh-aw/agent/failing-workflows.json) failing workflows (<80% success)\"\n" + run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/agent\nMETRICS_FILE=\"/tmp/gh-aw/repo-memory/default/metrics/latest.json\"\nif [ -f \"$METRICS_FILE\" ]; then\n jq '[.workflow_runs | to_entries[]\n | select(.value.success_rate < 0.8)]\n | sort_by(.value.success_rate) | .[0:20]' \\\n \"$METRICS_FILE\" > /tmp/gh-aw/agent/failing-workflows.json 2>/dev/null \\\n || echo '[]' > /tmp/gh-aw/agent/failing-workflows.json\nelse\n echo '[]' > /tmp/gh-aw/agent/failing-workflows.json\nfi\necho \"Metrics loaded: $(jq 'length' /tmp/gh-aw/agent/failing-workflows.json) failing workflows (<80% success)\"" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015 ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485 ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06 ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4 diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index ec5683faf20..9a7bd276653 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -475,7 +475,7 @@ jobs: - name: Build workflow index uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: - script: "const fs = require('fs');\nconst path = require('path');\n\nconst workflowDir = '.github/workflows';\nconst entries = fs.readdirSync(workflowDir, { withFileTypes: true });\nconst index = [];\n\nfor (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {\n if (!entry.isFile() || !entry.name.endsWith('.md') || entry.name.startsWith('.')) {\n continue;\n }\n\n const workflowPath = path.join(workflowDir, entry.name);\n const content = fs.readFileSync(workflowPath, 'utf8');\n const frontmatterMatch = content.match(/^---\\n([\\s\\S]*?)\\n---/);\n const frontmatter = frontmatterMatch ? frontmatterMatch[1] : '';\n\n const imports = Array.from(frontmatter.matchAll(/^\\s*-\\s+(shared\\/\\S+)/gm), (m) => m[1]);\n let engine = null;\n const frontmatterLines = frontmatter.split('\\n');\n let inEngineBlock = false;\n\n for (const line of frontmatterLines) {\n if (!inEngineBlock) {\n if (/^engine:\\s*$/.test(line)) {\n inEngineBlock = true;\n }\n continue;\n }\n\n if (!/^[ \\t]/.test(line)) {\n break;\n }\n\n const engineIDMatch = line.match(/^\\s*id:\\s*(\\S+)/);\n if (engineIDMatch) {\n engine = engineIDMatch[1];\n break;\n }\n }\n\n index.push({\n file: entry.name,\n path: workflowPath,\n imports,\n engine,\n has_github_tools: frontmatter.includes('github:'),\n has_safe_outputs: frontmatter.includes('safe-outputs:'),\n frontmatter_preview: frontmatter.slice(0, 400)\n });\n}\n\nfs.mkdirSync('/tmp/gh-aw/agent', { recursive: true });\nfs.writeFileSync('/tmp/gh-aw/agent/workflow-index.json', JSON.stringify(index, null, 2) + '\\n', 'utf8');\ncore.info(`Indexed ${index.length} workflows`);\n" + script: "const fs = require('fs');\nconst path = require('path');\n\nconst workflowDir = '.github/workflows';\nconst entries = fs.readdirSync(workflowDir, { withFileTypes: true });\nconst index = [];\n\nfor (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {\n if (!entry.isFile() || !entry.name.endsWith('.md') || entry.name.startsWith('.')) {\n continue;\n }\n\n const workflowPath = path.join(workflowDir, entry.name);\n const content = fs.readFileSync(workflowPath, 'utf8');\n const frontmatterMatch = content.match(/^---\\n([\\s\\S]*?)\\n---/);\n const frontmatter = frontmatterMatch ? frontmatterMatch[1] : '';\n\n const imports = Array.from(frontmatter.matchAll(/^\\s*-\\s+(shared\\/\\S+)/gm), (m) => m[1]);\n let engine = null;\n const frontmatterLines = frontmatter.split('\\n');\n let inEngineBlock = false;\n\n for (const line of frontmatterLines) {\n if (!inEngineBlock) {\n if (/^engine:\\s*$/.test(line)) {\n inEngineBlock = true;\n }\n continue;\n }\n\n if (!/^[ \\t]/.test(line)) {\n break;\n }\n\n const engineIDMatch = line.match(/^\\s*id:\\s*(\\S+)/);\n if (engineIDMatch) {\n engine = engineIDMatch[1];\n break;\n }\n }\n\n index.push({\n file: entry.name,\n path: workflowPath,\n imports,\n engine,\n has_github_tools: frontmatter.includes('github:'),\n has_safe_outputs: frontmatter.includes('safe-outputs:'),\n frontmatter_preview: frontmatter.slice(0, 400)\n });\n}\n\nfs.mkdirSync('/tmp/gh-aw/agent', { recursive: true });\nfs.writeFileSync('/tmp/gh-aw/agent/workflow-index.json', JSON.stringify(index, null, 2) + '\\n', 'utf8');\ncore.info(`Indexed ${index.length} workflows`);" - name: Configure Git credentials env: From 98a1883ac9229abaad92e23bf9e3d55ab619a691 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 07:09:45 +0000 Subject: [PATCH 03/21] fix(security): replace curl|sh installer patterns with download+verify (RGS-018) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/copilot-setup-steps.yml | 4 +++- .github/workflows/daily-byok-ollama-test.lock.yml | 12 +++++++++--- .github/workflows/daily-byok-ollama-test.md | 8 +++++++- .github/workflows/shared/trufflehog.md | 7 +++++-- .github/workflows/smoke-codex.lock.yml | 9 ++++++--- pkg/cli/copilot_setup.go | 11 +++++++---- 6 files changed, 37 insertions(+), 14 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 079a458a75b..dbc2a74d0f4 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -14,7 +14,9 @@ jobs: contents: read steps: - name: Install gh-aw extension - run: curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash + run: | + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh + bash /tmp/install-gh-aw.sh - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-byok-ollama-test.lock.yml b/.github/workflows/daily-byok-ollama-test.lock.yml index e535e1d7b17..93422aa912a 100644 --- a/.github/workflows/daily-byok-ollama-test.lock.yml +++ b/.github/workflows/daily-byok-ollama-test.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"eee569f9fae2a93ae15390081598db67ecce6bb925746a1efcc2137e5d82fdde","body_hash":"a8700a0e185e97532c657acf89f5d027281f174cf113819e61f61465fe665ec8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.68"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"91759d1bcf61ef39063e44b0930e2c6290162f719f5170c39b467daee121db70","body_hash":"a8700a0e185e97532c657acf89f5d027281f174cf113819e61f61465fe665ec8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.68"}} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -447,9 +447,15 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh" env: GH_TOKEN: ${{ github.token }} - - name: Install Ollama + - env: + OLLAMA_INSTALL_SHA256: 25f64b810b947145095956533e1bdf56eacea2673c55a7e586be4515fc882c9f + OLLAMA_VERSION: 0.31.1 + name: Install Ollama run: | - curl -fsSL https://ollama.com/install.sh | sh + echo "Downloading Ollama v${OLLAMA_VERSION} install script..." + curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/ollama-install.sh + echo "${OLLAMA_INSTALL_SHA256} /tmp/ollama-install.sh" | sha256sum -c - + sh /tmp/ollama-install.sh - name: Generate Ollama API key run: | OLLAMA_API_KEY="$(openssl rand -hex 16)" diff --git a/.github/workflows/daily-byok-ollama-test.md b/.github/workflows/daily-byok-ollama-test.md index 0bb78a8024a..08709abd4c7 100644 --- a/.github/workflows/daily-byok-ollama-test.md +++ b/.github/workflows/daily-byok-ollama-test.md @@ -20,8 +20,14 @@ strict: true timeout-minutes: 20 steps: - name: Install Ollama + env: + OLLAMA_VERSION: "0.31.1" + OLLAMA_INSTALL_SHA256: "25f64b810b947145095956533e1bdf56eacea2673c55a7e586be4515fc882c9f" run: | - curl -fsSL https://ollama.com/install.sh | sh + echo "Downloading Ollama v${OLLAMA_VERSION} install script..." + curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/ollama-install.sh + echo "${OLLAMA_INSTALL_SHA256} /tmp/ollama-install.sh" | sha256sum -c - + sh /tmp/ollama-install.sh - name: Generate Ollama API key run: | OLLAMA_API_KEY="$(openssl rand -hex 16)" diff --git a/.github/workflows/shared/trufflehog.md b/.github/workflows/shared/trufflehog.md index 633a1deaaf7..369e5eb2cc6 100644 --- a/.github/workflows/shared/trufflehog.md +++ b/.github/workflows/shared/trufflehog.md @@ -38,9 +38,12 @@ jobs: id: install-trufflehog env: TRUFFLEHOG_VERSION: "3.88.27" + TRUFFLEHOG_SHA256: "e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7" run: | - echo "Installing TruffleHog v${TRUFFLEHOG_VERSION}..." - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "v${TRUFFLEHOG_VERSION}" + echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." + curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/trufflehog.tar.gz + echo "${TRUFFLEHOG_SHA256} /tmp/trufflehog.tar.gz" | sha256sum -c - + sudo tar -xzf /tmp/trufflehog.tar.gz -C /usr/local/bin trufflehog trufflehog --version - name: Scan agent output for secrets diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index a6dc4147d6b..81990c7b5cb 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"f4c25dc4e3ebaa00201eec60464e37b5d059d7c2c14344ad95baab84851c84c8","body_hash":"71703d81d442ba6c0853517c3c7256b6456ac4af23b6f6424182ef84b9e94523","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"4359127d6b737db5df95bbc4ad3df6341a48ca54fadf5dfedac8e21e4debc347","body_hash":"71703d81d442ba6c0853517c3c7256b6456ac4af23b6f6424182ef84b9e94523","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} # gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions-ecosystem/action-add-labels","sha":"c96b68fec76a0987cd93957189e9abd0b9a72ff1","version":"v1.1.3"},{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"924ae3a1cded613372ab5595356fb5720e22ba16","version":"v6.5.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24","digest":"sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"},{"image":"ghcr.io/github/serena-mcp-server:latest","digest":"sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5","pinned_image":"ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -2416,10 +2416,13 @@ jobs: - name: Install TruffleHog id: install-trufflehog run: | - echo "Installing TruffleHog v${TRUFFLEHOG_VERSION}..." - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "v${TRUFFLEHOG_VERSION}" + echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." + curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/trufflehog.tar.gz + echo "${TRUFFLEHOG_SHA256} /tmp/trufflehog.tar.gz" | sha256sum -c - + sudo tar -xzf /tmp/trufflehog.tar.gz -C /usr/local/bin trufflehog trufflehog --version env: + TRUFFLEHOG_SHA256: e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7 TRUFFLEHOG_VERSION: 3.88.27 - name: Scan agent output for secrets id: scan-agent-output diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index 5c91ecf731d..b2941446eed 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -82,7 +82,7 @@ jobs: `, actionRepo, actionRef, version) } - // Default (dev/script mode): use curl to download install script + // Default (dev/script mode): download install script to file before executing return `name: "Copilot Setup Steps" # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server @@ -105,7 +105,8 @@ jobs: steps: - name: Install gh-aw extension run: | - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh + bash /tmp/install-gh-aw.sh ` } @@ -131,7 +132,8 @@ jobs: steps: - name: Install gh-aw extension run: | - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh + bash /tmp/install-gh-aw.sh ` // CopilotWorkflowStep represents a GitHub Actions workflow step for Copilot setup scaffolding @@ -280,7 +282,8 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, } else { fmt.Fprintln(os.Stderr, " - name: Install gh-aw extension") fmt.Fprintln(os.Stderr, " run: |") - fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash") + fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh") + fmt.Fprintln(os.Stderr, " bash /tmp/install-gh-aw.sh") } fmt.Fprintln(os.Stderr) } From 0821ca989c4b3f4fe5fdf7b15506189a6af047a1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 07:33:46 +0000 Subject: [PATCH 04/21] fix: use /tmp/gh-aw/ folder for installer temp files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/copilot-setup-steps.yml | 5 +++-- .github/workflows/daily-byok-ollama-test.lock.yml | 9 +++++---- .github/workflows/daily-byok-ollama-test.md | 7 ++++--- .github/workflows/shared/trufflehog.md | 7 ++++--- .github/workflows/smoke-codex.lock.yml | 9 +++++---- pkg/cli/copilot_setup.go | 15 +++++++++------ 6 files changed, 30 insertions(+), 22 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index dbc2a74d0f4..8d0e86a4fc1 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -15,8 +15,9 @@ jobs: steps: - name: Install gh-aw extension run: | - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh - bash /tmp/install-gh-aw.sh + mkdir -p /tmp/gh-aw + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh + bash /tmp/gh-aw/install-gh-aw.sh - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-byok-ollama-test.lock.yml b/.github/workflows/daily-byok-ollama-test.lock.yml index 93422aa912a..fdcd3d75eb2 100644 --- a/.github/workflows/daily-byok-ollama-test.lock.yml +++ b/.github/workflows/daily-byok-ollama-test.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"91759d1bcf61ef39063e44b0930e2c6290162f719f5170c39b467daee121db70","body_hash":"a8700a0e185e97532c657acf89f5d027281f174cf113819e61f61465fe665ec8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.68"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"8cd3caa3f7a6e49b2d05e4fb18eabc36d38f0a9976443f155c23d06e5c1fd063","body_hash":"a8700a0e185e97532c657acf89f5d027281f174cf113819e61f61465fe665ec8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.68"}} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -453,9 +453,10 @@ jobs: name: Install Ollama run: | echo "Downloading Ollama v${OLLAMA_VERSION} install script..." - curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/ollama-install.sh - echo "${OLLAMA_INSTALL_SHA256} /tmp/ollama-install.sh" | sha256sum -c - - sh /tmp/ollama-install.sh + mkdir -p /tmp/gh-aw + curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/gh-aw/ollama-install.sh + echo "${OLLAMA_INSTALL_SHA256} /tmp/gh-aw/ollama-install.sh" | sha256sum -c - + sh /tmp/gh-aw/ollama-install.sh - name: Generate Ollama API key run: | OLLAMA_API_KEY="$(openssl rand -hex 16)" diff --git a/.github/workflows/daily-byok-ollama-test.md b/.github/workflows/daily-byok-ollama-test.md index 08709abd4c7..c0b2ee3d793 100644 --- a/.github/workflows/daily-byok-ollama-test.md +++ b/.github/workflows/daily-byok-ollama-test.md @@ -25,9 +25,10 @@ steps: OLLAMA_INSTALL_SHA256: "25f64b810b947145095956533e1bdf56eacea2673c55a7e586be4515fc882c9f" run: | echo "Downloading Ollama v${OLLAMA_VERSION} install script..." - curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/ollama-install.sh - echo "${OLLAMA_INSTALL_SHA256} /tmp/ollama-install.sh" | sha256sum -c - - sh /tmp/ollama-install.sh + mkdir -p /tmp/gh-aw + curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/gh-aw/ollama-install.sh + echo "${OLLAMA_INSTALL_SHA256} /tmp/gh-aw/ollama-install.sh" | sha256sum -c - + sh /tmp/gh-aw/ollama-install.sh - name: Generate Ollama API key run: | OLLAMA_API_KEY="$(openssl rand -hex 16)" diff --git a/.github/workflows/shared/trufflehog.md b/.github/workflows/shared/trufflehog.md index 369e5eb2cc6..c1bab04d315 100644 --- a/.github/workflows/shared/trufflehog.md +++ b/.github/workflows/shared/trufflehog.md @@ -41,9 +41,10 @@ jobs: TRUFFLEHOG_SHA256: "e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7" run: | echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." - curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/trufflehog.tar.gz - echo "${TRUFFLEHOG_SHA256} /tmp/trufflehog.tar.gz" | sha256sum -c - - sudo tar -xzf /tmp/trufflehog.tar.gz -C /usr/local/bin trufflehog + mkdir -p /tmp/gh-aw + curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz + echo "${TRUFFLEHOG_SHA256} /tmp/gh-aw/trufflehog.tar.gz" | sha256sum -c - + sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz -C /usr/local/bin trufflehog trufflehog --version - name: Scan agent output for secrets diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 81990c7b5cb..4aa11a4d595 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"4359127d6b737db5df95bbc4ad3df6341a48ca54fadf5dfedac8e21e4debc347","body_hash":"71703d81d442ba6c0853517c3c7256b6456ac4af23b6f6424182ef84b9e94523","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"a8b06915b40e10f80201ea773fc862e8a1f1f51089fc400bb8018abbde7d99eb","body_hash":"71703d81d442ba6c0853517c3c7256b6456ac4af23b6f6424182ef84b9e94523","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} # gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions-ecosystem/action-add-labels","sha":"c96b68fec76a0987cd93957189e9abd0b9a72ff1","version":"v1.1.3"},{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"924ae3a1cded613372ab5595356fb5720e22ba16","version":"v6.5.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24","digest":"sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"},{"image":"ghcr.io/github/serena-mcp-server:latest","digest":"sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5","pinned_image":"ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -2417,9 +2417,10 @@ jobs: id: install-trufflehog run: | echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." - curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/trufflehog.tar.gz - echo "${TRUFFLEHOG_SHA256} /tmp/trufflehog.tar.gz" | sha256sum -c - - sudo tar -xzf /tmp/trufflehog.tar.gz -C /usr/local/bin trufflehog + mkdir -p /tmp/gh-aw + curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz + echo "${TRUFFLEHOG_SHA256} /tmp/gh-aw/trufflehog.tar.gz" | sha256sum -c - + sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz -C /usr/local/bin trufflehog trufflehog --version env: TRUFFLEHOG_SHA256: e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7 diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index b2941446eed..678a416d342 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -105,8 +105,9 @@ jobs: steps: - name: Install gh-aw extension run: | - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh - bash /tmp/install-gh-aw.sh + mkdir -p /tmp/gh-aw + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh + bash /tmp/gh-aw/install-gh-aw.sh ` } @@ -132,8 +133,9 @@ jobs: steps: - name: Install gh-aw extension run: | - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh - bash /tmp/install-gh-aw.sh + mkdir -p /tmp/gh-aw + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh + bash /tmp/gh-aw/install-gh-aw.sh ` // CopilotWorkflowStep represents a GitHub Actions workflow step for Copilot setup scaffolding @@ -282,8 +284,9 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, } else { fmt.Fprintln(os.Stderr, " - name: Install gh-aw extension") fmt.Fprintln(os.Stderr, " run: |") - fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh") - fmt.Fprintln(os.Stderr, " bash /tmp/install-gh-aw.sh") + fmt.Fprintln(os.Stderr, " mkdir -p /tmp/gh-aw") + fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh") + fmt.Fprintln(os.Stderr, " bash /tmp/gh-aw/install-gh-aw.sh") } fmt.Fprintln(os.Stderr) } From efc3075cb53c5a487c749a55cf62e421211e6e69 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 09:57:03 +0000 Subject: [PATCH 05/21] fix(security): pin installer refs to resolved SHA in dev-mode templates (RGS-018) Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .github/workflows/copilot-setup-steps.yml | 7 ++---- pkg/cli/copilot_setup.go | 26 ++++++++++++++++++----- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 8d0e86a4fc1..5bd7753191a 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -13,15 +13,12 @@ jobs: permissions: contents: read steps: - - name: Install gh-aw extension - run: | - mkdir -p /tmp/gh-aw - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh - bash /tmp/gh-aw/install-gh-aw.sh - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false + - name: Install gh-aw extension + run: bash install-gh-aw.sh - name: Set up Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index 678a416d342..e2e1d626883 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -82,8 +82,15 @@ jobs: `, actionRepo, actionRef, version) } - // Default (dev/script mode): download install script to file before executing - return `name: "Copilot Setup Steps" + // Default (dev/script mode): try to resolve the main branch to a pinned SHA so the + // downloaded script is immutable; fall back to the mutable branch ref if unavailable. + installRef := "refs/heads/main" + if sha, err := workflow.ResolveGhAwRef(ctx, "main"); err == nil && sha != "" { + installRef = sha + } else { + copilotSetupLog.Printf("Could not resolve github/gh-aw main SHA for dev-mode template, falling back to mutable ref: %v", err) + } + return fmt.Sprintf(`name: "Copilot Setup Steps" # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server on: @@ -106,11 +113,14 @@ jobs: - name: Install gh-aw extension run: | mkdir -p /tmp/gh-aw - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh bash /tmp/gh-aw/install-gh-aw.sh -` +`, installRef) } +// copilotSetupStepsYAML is a static dev-mode template used only for YAML validity tests. +// It deliberately uses the mutable branch ref as a fallback; the runtime function +// generateCopilotSetupStepsYAML resolves the ref to an immutable commit SHA whenever possible. const copilotSetupStepsYAML = `name: "Copilot Setup Steps" # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server @@ -282,10 +292,16 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, fmt.Fprintln(os.Stderr, " with:") fmt.Fprintln(os.Stderr, " version: "+version) } else { + // Dev/script mode: try to resolve main to a pinned SHA so the instructions emit an + // immutable URL; fall back to the mutable branch ref if resolution is unavailable. + installRef := "refs/heads/main" + if sha, err := workflow.ResolveGhAwRef(ctx, "main"); err == nil && sha != "" { + installRef = sha + } fmt.Fprintln(os.Stderr, " - name: Install gh-aw extension") fmt.Fprintln(os.Stderr, " run: |") fmt.Fprintln(os.Stderr, " mkdir -p /tmp/gh-aw") - fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh") + fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/"+installRef+"/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh") fmt.Fprintln(os.Stderr, " bash /tmp/gh-aw/install-gh-aw.sh") } fmt.Fprintln(os.Stderr) From 74b0f64d69c97e974fb7b8502cd3b44d31b0f9f8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 19:23:44 +0000 Subject: [PATCH 06/21] =?UTF-8?q?fix:=20sh=E2=86=92bash=20for=20Ollama,=20?= =?UTF-8?q?add=20SHA=20update=20docs,=20trufflehog=20arch=20note=20+=20--n?= =?UTF-8?q?o-same-owner?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .github/workflows/daily-byok-ollama-test.lock.yml | 4 ++-- .github/workflows/daily-byok-ollama-test.md | 4 +++- .github/workflows/shared/trufflehog.md | 6 +++++- .github/workflows/smoke-codex.lock.yml | 5 +++-- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/.github/workflows/daily-byok-ollama-test.lock.yml b/.github/workflows/daily-byok-ollama-test.lock.yml index fdcd3d75eb2..c7d65ae5823 100644 --- a/.github/workflows/daily-byok-ollama-test.lock.yml +++ b/.github/workflows/daily-byok-ollama-test.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"8cd3caa3f7a6e49b2d05e4fb18eabc36d38f0a9976443f155c23d06e5c1fd063","body_hash":"a8700a0e185e97532c657acf89f5d027281f174cf113819e61f61465fe665ec8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.68"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"92a633df2d6b6105c26057412bc3df6371091bbf0c1018517abcd8015e274086","body_hash":"a8700a0e185e97532c657acf89f5d027281f174cf113819e61f61465fe665ec8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.68"}} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -456,7 +456,7 @@ jobs: mkdir -p /tmp/gh-aw curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/gh-aw/ollama-install.sh echo "${OLLAMA_INSTALL_SHA256} /tmp/gh-aw/ollama-install.sh" | sha256sum -c - - sh /tmp/gh-aw/ollama-install.sh + bash /tmp/gh-aw/ollama-install.sh - name: Generate Ollama API key run: | OLLAMA_API_KEY="$(openssl rand -hex 16)" diff --git a/.github/workflows/daily-byok-ollama-test.md b/.github/workflows/daily-byok-ollama-test.md index c0b2ee3d793..fc69ccd4a89 100644 --- a/.github/workflows/daily-byok-ollama-test.md +++ b/.github/workflows/daily-byok-ollama-test.md @@ -22,13 +22,15 @@ steps: - name: Install Ollama env: OLLAMA_VERSION: "0.31.1" + # SHA256 of install.sh from https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh + # To update: curl -fsSL https://github.com/ollama/ollama/releases/download/vNEW_VERSION/install.sh | sha256sum OLLAMA_INSTALL_SHA256: "25f64b810b947145095956533e1bdf56eacea2673c55a7e586be4515fc882c9f" run: | echo "Downloading Ollama v${OLLAMA_VERSION} install script..." mkdir -p /tmp/gh-aw curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/gh-aw/ollama-install.sh echo "${OLLAMA_INSTALL_SHA256} /tmp/gh-aw/ollama-install.sh" | sha256sum -c - - sh /tmp/gh-aw/ollama-install.sh + bash /tmp/gh-aw/ollama-install.sh - name: Generate Ollama API key run: | OLLAMA_API_KEY="$(openssl rand -hex 16)" diff --git a/.github/workflows/shared/trufflehog.md b/.github/workflows/shared/trufflehog.md index c1bab04d315..16fb44a885c 100644 --- a/.github/workflows/shared/trufflehog.md +++ b/.github/workflows/shared/trufflehog.md @@ -38,13 +38,17 @@ jobs: id: install-trufflehog env: TRUFFLEHOG_VERSION: "3.88.27" + # SHA256 of the linux_amd64 .tar.gz from the pinned release. Only GitHub-hosted ubuntu-latest runners + # (always amd64) are supported; self-hosted ARM runners will need a separate per-arch hash. + # To update: curl -fsSL https://github.com/trufflesecurity/trufflehog/releases/download/vNEW/trufflehog_NEW_linux_amd64.tar.gz | sha256sum TRUFFLEHOG_SHA256: "e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7" run: | echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." mkdir -p /tmp/gh-aw curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz + # SHA256 covers the .tar.gz archive; the binary is extracted from the verified archive echo "${TRUFFLEHOG_SHA256} /tmp/gh-aw/trufflehog.tar.gz" | sha256sum -c - - sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz -C /usr/local/bin trufflehog + sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz --no-same-owner -C /usr/local/bin trufflehog trufflehog --version - name: Scan agent output for secrets diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 4aa11a4d595..2d5838a465b 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"a8b06915b40e10f80201ea773fc862e8a1f1f51089fc400bb8018abbde7d99eb","body_hash":"71703d81d442ba6c0853517c3c7256b6456ac4af23b6f6424182ef84b9e94523","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"167d47e35fd4ac2d221b57dcd53b875c62bafaeee4ad90e6aacdf45f112ca24a","body_hash":"71703d81d442ba6c0853517c3c7256b6456ac4af23b6f6424182ef84b9e94523","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} # gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions-ecosystem/action-add-labels","sha":"c96b68fec76a0987cd93957189e9abd0b9a72ff1","version":"v1.1.3"},{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"924ae3a1cded613372ab5595356fb5720e22ba16","version":"v6.5.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24","digest":"sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"},{"image":"ghcr.io/github/serena-mcp-server:latest","digest":"sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5","pinned_image":"ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -2419,8 +2419,9 @@ jobs: echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." mkdir -p /tmp/gh-aw curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz + # SHA256 covers the .tar.gz archive; the binary is extracted from the verified archive echo "${TRUFFLEHOG_SHA256} /tmp/gh-aw/trufflehog.tar.gz" | sha256sum -c - - sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz -C /usr/local/bin trufflehog + sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz --no-same-owner -C /usr/local/bin trufflehog trufflehog --version env: TRUFFLEHOG_SHA256: e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7 From e1701203cddff6a904b114280e9b28260855b5df Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 20:09:46 +0000 Subject: [PATCH 07/21] fix(security): pin copilotSetupStepsYAML constant to immutable SHA; add arch guard to trufflehog.md Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .github/workflows/shared/trufflehog.md | 5 +++++ .github/workflows/smoke-codex.lock.yml | 7 ++++++- pkg/cli/copilot_setup.go | 6 +++--- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/shared/trufflehog.md b/.github/workflows/shared/trufflehog.md index 16fb44a885c..db69a43ae19 100644 --- a/.github/workflows/shared/trufflehog.md +++ b/.github/workflows/shared/trufflehog.md @@ -43,6 +43,11 @@ jobs: # To update: curl -fsSL https://github.com/trufflesecurity/trufflehog/releases/download/vNEW/trufflehog_NEW_linux_amd64.tar.gz | sha256sum TRUFFLEHOG_SHA256: "e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7" run: | + ARCH=$(uname -m) + if [ "$ARCH" != "x86_64" ]; then + echo "::error::TruffleHog installation only supports x86_64 (linux_amd64); detected $ARCH. Self-hosted ARM runners must install TruffleHog separately." + exit 1 + fi echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." mkdir -p /tmp/gh-aw curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 2d5838a465b..6266b1f5128 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"167d47e35fd4ac2d221b57dcd53b875c62bafaeee4ad90e6aacdf45f112ca24a","body_hash":"71703d81d442ba6c0853517c3c7256b6456ac4af23b6f6424182ef84b9e94523","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"b1584c2862c71b94968843ff97149d2dfd8b6d9e66c14bd7dbfbe0c1af4c124b","body_hash":"71703d81d442ba6c0853517c3c7256b6456ac4af23b6f6424182ef84b9e94523","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} # gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions-ecosystem/action-add-labels","sha":"c96b68fec76a0987cd93957189e9abd0b9a72ff1","version":"v1.1.3"},{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"924ae3a1cded613372ab5595356fb5720e22ba16","version":"v6.5.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.24@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.24@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24","digest":"sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.24@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.24@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"},{"image":"ghcr.io/github/serena-mcp-server:latest","digest":"sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5","pinned_image":"ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -2416,6 +2416,11 @@ jobs: - name: Install TruffleHog id: install-trufflehog run: | + ARCH=$(uname -m) + if [ "$ARCH" != "x86_64" ]; then + echo "::error::TruffleHog installation only supports x86_64 (linux_amd64); detected $ARCH. Self-hosted ARM runners must install TruffleHog separately." + exit 1 + fi echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." mkdir -p /tmp/gh-aw curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index e2e1d626883..cc79af76a87 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -119,8 +119,8 @@ jobs: } // copilotSetupStepsYAML is a static dev-mode template used only for YAML validity tests. -// It deliberately uses the mutable branch ref as a fallback; the runtime function -// generateCopilotSetupStepsYAML resolves the ref to an immutable commit SHA whenever possible. +// The URL is pinned to an immutable commit SHA as a representative example; the runtime +// function generateCopilotSetupStepsYAML resolves the ref dynamically via ResolveGhAwRef. const copilotSetupStepsYAML = `name: "Copilot Setup Steps" # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server @@ -144,7 +144,7 @@ jobs: - name: Install gh-aw extension run: | mkdir -p /tmp/gh-aw - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/21a6827c430f89d3b7443074cfc8bd25b84d278f/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh bash /tmp/gh-aw/install-gh-aw.sh ` From b433a831a2511d6b4a7df9f37d163fd00ad7bb77 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 23:43:25 +0000 Subject: [PATCH 08/21] fix(security): add SHA256 integrity check to dev-mode install-gh-aw.sh download Resolves the CHANGES_REQUESTED feedback from github-actions[bot]: - Add resolveInstallScriptSHA256() helper that fetches install-gh-aw.sh at the resolved commit SHA and computes its SHA256 hex digest - generateCopilotSetupStepsYAML() now embeds a sha256sum -c check line when the SHA256 can be resolved (i.e., GitHub API is reachable) - renderCopilotSetupUpdateInstructions() emits the same sha256sum check line - copilotSetupStepsYAML constant updated with explicit sha256sum verification for the pinned commit 21a6827c (SHA256: 248ccebcb998c6...) When the GitHub API is unreachable (air-gapped), sha256sum is omitted and the commit-SHA-pinned URL remains as the sole integrity mechanism. Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index cc79af76a87..669bfc577ed 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -3,6 +3,8 @@ package cli import ( "bytes" "context" + "crypto/sha256" + "encoding/hex" "fmt" "os" "path/filepath" @@ -18,6 +20,23 @@ import ( var copilotSetupLog = logger.New("cli:copilot_setup") +// resolveInstallScriptSHA256 fetches install-gh-aw.sh at the given immutable commit SHA +// and returns its SHA256 hex digest for use in a sha256sum integrity check. +// Returns an empty string and logs a warning if the fetch or computation fails. +func resolveInstallScriptSHA256(ctx context.Context, commitSHA string) string { + if commitSHA == "" { + return "" + } + scriptURL := "https://raw.githubusercontent.com/github/gh-aw/" + commitSHA + "/install-gh-aw.sh" + res, err := FetchImportURL(ctx, scriptURL, FetchOptions{}) + if err != nil { + copilotSetupLog.Printf("Could not fetch install-gh-aw.sh to compute SHA256: %v", err) + return "" + } + h := sha256.Sum256(res.Body) + return hex.EncodeToString(h[:]) +} + // getActionRef returns the action reference string based on action mode and version. // If a resolver is provided and mode is release or action, attempts to resolve the SHA for a SHA-pinned reference. // Falls back to a version tag reference if SHA resolution fails or resolver is nil. @@ -85,11 +104,18 @@ jobs: // Default (dev/script mode): try to resolve the main branch to a pinned SHA so the // downloaded script is immutable; fall back to the mutable branch ref if unavailable. installRef := "refs/heads/main" + installSHA256 := "" if sha, err := workflow.ResolveGhAwRef(ctx, "main"); err == nil && sha != "" { installRef = sha + // Fetch the script to compute an explicit SHA256 integrity check line. + installSHA256 = resolveInstallScriptSHA256(ctx, sha) } else { copilotSetupLog.Printf("Could not resolve github/gh-aw main SHA for dev-mode template, falling back to mutable ref: %v", err) } + sha256Line := "" + if installSHA256 != "" { + sha256Line = ` echo "` + installSHA256 + ` /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c -` + "\n" + } return fmt.Sprintf(`name: "Copilot Setup Steps" # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server @@ -114,8 +140,8 @@ jobs: run: | mkdir -p /tmp/gh-aw curl -fsSL https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh - bash /tmp/gh-aw/install-gh-aw.sh -`, installRef) +%s bash /tmp/gh-aw/install-gh-aw.sh +`, installRef, sha256Line) } // copilotSetupStepsYAML is a static dev-mode template used only for YAML validity tests. @@ -145,6 +171,7 @@ jobs: run: | mkdir -p /tmp/gh-aw curl -fsSL https://raw.githubusercontent.com/github/gh-aw/21a6827c430f89d3b7443074cfc8bd25b84d278f/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh + echo "248ccebcb998c6a506548156e1bf9f02429cbbaec407d5adbdfd316ab0f866a0 /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c - bash /tmp/gh-aw/install-gh-aw.sh ` @@ -295,13 +322,18 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, // Dev/script mode: try to resolve main to a pinned SHA so the instructions emit an // immutable URL; fall back to the mutable branch ref if resolution is unavailable. installRef := "refs/heads/main" + installSHA256 := "" if sha, err := workflow.ResolveGhAwRef(ctx, "main"); err == nil && sha != "" { installRef = sha + installSHA256 = resolveInstallScriptSHA256(ctx, sha) } fmt.Fprintln(os.Stderr, " - name: Install gh-aw extension") fmt.Fprintln(os.Stderr, " run: |") fmt.Fprintln(os.Stderr, " mkdir -p /tmp/gh-aw") fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/"+installRef+"/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh") + if installSHA256 != "" { + fmt.Fprintln(os.Stderr, ` echo "`+installSHA256+` /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c -`) + } fmt.Fprintln(os.Stderr, " bash /tmp/gh-aw/install-gh-aw.sh") } fmt.Fprintln(os.Stderr) From d11cf89a080ca8b87c12e62478df758ed53f7dfd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 23:48:12 +0000 Subject: [PATCH 09/21] fix(security): add input validation guards for SHA values in install script helpers - Use fmt.Sprintf for URL construction in resolveInstallScriptSHA256 (not string concat) - Validate commitSHA with gitutil.IsValidFullSHA before using in URL - Validate computed digest with sha256HexRegex before returning - Use sha256HexRegex check at both sha256sum embedding sites instead of != "" - Add sha256HexRegex package var (^[0-9a-f]{64}$) to prevent injection Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index 669bfc577ed..e89e0b0d545 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -14,27 +14,37 @@ import ( "github.com/github/gh-aw/pkg/console" "github.com/github/gh-aw/pkg/constants" "github.com/github/gh-aw/pkg/fileutil" + "github.com/github/gh-aw/pkg/gitutil" "github.com/github/gh-aw/pkg/logger" "github.com/github/gh-aw/pkg/workflow" ) var copilotSetupLog = logger.New("cli:copilot_setup") +// sha256HexRegex matches a valid lowercase SHA256 hex digest (exactly 64 hex chars). +var sha256HexRegex = regexp.MustCompile(`^[0-9a-f]{64}$`) + // resolveInstallScriptSHA256 fetches install-gh-aw.sh at the given immutable commit SHA // and returns its SHA256 hex digest for use in a sha256sum integrity check. // Returns an empty string and logs a warning if the fetch or computation fails. func resolveInstallScriptSHA256(ctx context.Context, commitSHA string) string { - if commitSHA == "" { + if !gitutil.IsValidFullSHA(commitSHA) { + copilotSetupLog.Printf("resolveInstallScriptSHA256: commitSHA %q is not a valid full SHA, skipping", commitSHA) return "" } - scriptURL := "https://raw.githubusercontent.com/github/gh-aw/" + commitSHA + "/install-gh-aw.sh" + scriptURL := fmt.Sprintf("https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh", commitSHA) res, err := FetchImportURL(ctx, scriptURL, FetchOptions{}) if err != nil { copilotSetupLog.Printf("Could not fetch install-gh-aw.sh to compute SHA256: %v", err) return "" } h := sha256.Sum256(res.Body) - return hex.EncodeToString(h[:]) + digest := hex.EncodeToString(h[:]) + if !sha256HexRegex.MatchString(digest) { + copilotSetupLog.Printf("resolveInstallScriptSHA256: unexpected digest format %q", digest) + return "" + } + return digest } // getActionRef returns the action reference string based on action mode and version. @@ -113,7 +123,7 @@ jobs: copilotSetupLog.Printf("Could not resolve github/gh-aw main SHA for dev-mode template, falling back to mutable ref: %v", err) } sha256Line := "" - if installSHA256 != "" { + if sha256HexRegex.MatchString(installSHA256) { sha256Line = ` echo "` + installSHA256 + ` /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c -` + "\n" } return fmt.Sprintf(`name: "Copilot Setup Steps" @@ -331,7 +341,7 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, fmt.Fprintln(os.Stderr, " run: |") fmt.Fprintln(os.Stderr, " mkdir -p /tmp/gh-aw") fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/"+installRef+"/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh") - if installSHA256 != "" { + if sha256HexRegex.MatchString(installSHA256) { fmt.Fprintln(os.Stderr, ` echo "`+installSHA256+` /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c -`) } fmt.Fprintln(os.Stderr, " bash /tmp/gh-aw/install-gh-aw.sh") From ee63f05fa89da8ebd5a50edaffc6703bde1e58b2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 23:53:14 +0000 Subject: [PATCH 10/21] refactor: extract installScriptTempPath constant, simplify sha256 guards - Extract /tmp/gh-aw/install-gh-aw.sh to named constant installScriptTempPath - Use constant in sha256Line construction and fmt.Fprintln calls - Simplify sha256 embedding guard from sha256HexRegex.MatchString to != "" (resolveInstallScriptSHA256 already validates format before returning) Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index e89e0b0d545..e46927d0463 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -21,6 +21,9 @@ import ( var copilotSetupLog = logger.New("cli:copilot_setup") +// installScriptTempPath is the temporary file path used for the downloaded gh-aw install script. +const installScriptTempPath = "/tmp/gh-aw/install-gh-aw.sh" + // sha256HexRegex matches a valid lowercase SHA256 hex digest (exactly 64 hex chars). var sha256HexRegex = regexp.MustCompile(`^[0-9a-f]{64}$`) @@ -35,7 +38,7 @@ func resolveInstallScriptSHA256(ctx context.Context, commitSHA string) string { scriptURL := fmt.Sprintf("https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh", commitSHA) res, err := FetchImportURL(ctx, scriptURL, FetchOptions{}) if err != nil { - copilotSetupLog.Printf("Could not fetch install-gh-aw.sh to compute SHA256: %v", err) + copilotSetupLog.Printf("Could not fetch install-gh-aw.sh from %s to compute SHA256: %v", scriptURL, err) return "" } h := sha256.Sum256(res.Body) @@ -123,8 +126,8 @@ jobs: copilotSetupLog.Printf("Could not resolve github/gh-aw main SHA for dev-mode template, falling back to mutable ref: %v", err) } sha256Line := "" - if sha256HexRegex.MatchString(installSHA256) { - sha256Line = ` echo "` + installSHA256 + ` /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c -` + "\n" + if installSHA256 != "" { + sha256Line = ` echo "` + installSHA256 + ` ` + installScriptTempPath + `" | sha256sum -c -` + "\n" } return fmt.Sprintf(`name: "Copilot Setup Steps" @@ -340,11 +343,11 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, fmt.Fprintln(os.Stderr, " - name: Install gh-aw extension") fmt.Fprintln(os.Stderr, " run: |") fmt.Fprintln(os.Stderr, " mkdir -p /tmp/gh-aw") - fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/"+installRef+"/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh") - if sha256HexRegex.MatchString(installSHA256) { - fmt.Fprintln(os.Stderr, ` echo "`+installSHA256+` /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c -`) + fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/"+installRef+"/install-gh-aw.sh -o "+installScriptTempPath) + if installSHA256 != "" { + fmt.Fprintln(os.Stderr, ` echo "`+installSHA256+` `+installScriptTempPath+`" | sha256sum -c -`) } - fmt.Fprintln(os.Stderr, " bash /tmp/gh-aw/install-gh-aw.sh") + fmt.Fprintln(os.Stderr, " bash "+installScriptTempPath) } fmt.Fprintln(os.Stderr) } From 2f879c82dfa0db6bfaeb0f76408f556ab1328b6f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Jul 2026 23:57:28 +0000 Subject: [PATCH 11/21] refactor: use installScriptTempPath constant in fmt.Sprintf and add const comment - Use installScriptTempPath in fmt.Sprintf format args instead of hardcoded path - Add NOTE comment in copilotSetupStepsYAML const pointing to installScriptTempPath Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index e46927d0463..6c261f5e4c4 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -152,14 +152,15 @@ jobs: - name: Install gh-aw extension run: | mkdir -p /tmp/gh-aw - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh -%s bash /tmp/gh-aw/install-gh-aw.sh -`, installRef, sha256Line) + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh -o %s +%s bash %s +`, installRef, installScriptTempPath, sha256Line, installScriptTempPath) } // copilotSetupStepsYAML is a static dev-mode template used only for YAML validity tests. // The URL is pinned to an immutable commit SHA as a representative example; the runtime // function generateCopilotSetupStepsYAML resolves the ref dynamically via ResolveGhAwRef. +// NOTE: The temp path used here must match the installScriptTempPath constant. const copilotSetupStepsYAML = `name: "Copilot Setup Steps" # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server From 130bc2c063d2e3abfc33bdc61d9b0c1e542f05a6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Jul 2026 00:02:13 +0000 Subject: [PATCH 12/21] refactor: extract sha256CheckLine helper to deduplicate sha256sum command construction - Add sha256CheckLine(digest, path) helper that formats the sha256sum -c check line - generateCopilotSetupStepsYAML uses sha256CheckLine via sha256Cmd variable - renderCopilotSetupUpdateInstructions uses sha256CheckLine via if-line pattern Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index 6c261f5e4c4..9242e4d31ae 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -50,7 +50,15 @@ func resolveInstallScriptSHA256(ctx context.Context, commitSHA string) string { return digest } -// getActionRef returns the action reference string based on action mode and version. +// sha256CheckLine returns a YAML-indented shell command that verifies digest against path +// using sha256sum. Returns an empty string if digest is empty. +func sha256CheckLine(digest, path string) string { + if digest == "" { + return "" + } + return fmt.Sprintf(` echo "%s %s" | sha256sum -c -`+"\n", digest, path) +} + // If a resolver is provided and mode is release or action, attempts to resolve the SHA for a SHA-pinned reference. // Falls back to a version tag reference if SHA resolution fails or resolver is nil. func getActionRef(ctx context.Context, actionMode workflow.ActionMode, version string, resolver workflow.SHAResolver) string { @@ -125,10 +133,7 @@ jobs: } else { copilotSetupLog.Printf("Could not resolve github/gh-aw main SHA for dev-mode template, falling back to mutable ref: %v", err) } - sha256Line := "" - if installSHA256 != "" { - sha256Line = ` echo "` + installSHA256 + ` ` + installScriptTempPath + `" | sha256sum -c -` + "\n" - } + sha256Cmd := sha256CheckLine(installSHA256, installScriptTempPath) return fmt.Sprintf(`name: "Copilot Setup Steps" # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server @@ -154,7 +159,7 @@ jobs: mkdir -p /tmp/gh-aw curl -fsSL https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh -o %s %s bash %s -`, installRef, installScriptTempPath, sha256Line, installScriptTempPath) +`, installRef, installScriptTempPath, sha256Cmd, installScriptTempPath) } // copilotSetupStepsYAML is a static dev-mode template used only for YAML validity tests. @@ -345,8 +350,8 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, fmt.Fprintln(os.Stderr, " run: |") fmt.Fprintln(os.Stderr, " mkdir -p /tmp/gh-aw") fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/"+installRef+"/install-gh-aw.sh -o "+installScriptTempPath) - if installSHA256 != "" { - fmt.Fprintln(os.Stderr, ` echo "`+installSHA256+` `+installScriptTempPath+`" | sha256sum -c -`) + if line := sha256CheckLine(installSHA256, installScriptTempPath); line != "" { + fmt.Fprint(os.Stderr, line) } fmt.Fprintln(os.Stderr, " bash "+installScriptTempPath) } From 89040e38d66a15c3b7cb7c827a1c9c092fc2869c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Jul 2026 00:06:36 +0000 Subject: [PATCH 13/21] docs: document sha256CheckLine trailing newline and parameter safety requirements Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index 9242e4d31ae..82adc56916e 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -50,8 +50,10 @@ func resolveInstallScriptSHA256(ctx context.Context, commitSHA string) string { return digest } -// sha256CheckLine returns a YAML-indented shell command that verifies digest against path -// using sha256sum. Returns an empty string if digest is empty. +// sha256CheckLine returns a YAML-indented shell command (with trailing newline) that verifies +// digest against path using sha256sum. Returns an empty string if digest is empty. +// Both parameters must be pre-validated: digest via sha256HexRegex ([0-9a-f]{64}) and path +// must be a safe filesystem path (e.g., the installScriptTempPath constant). func sha256CheckLine(digest, path string) string { if digest == "" { return "" @@ -351,7 +353,7 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, fmt.Fprintln(os.Stderr, " mkdir -p /tmp/gh-aw") fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/"+installRef+"/install-gh-aw.sh -o "+installScriptTempPath) if line := sha256CheckLine(installSHA256, installScriptTempPath); line != "" { - fmt.Fprint(os.Stderr, line) + fmt.Fprint(os.Stderr, line) // sha256CheckLine includes trailing newline } fmt.Fprintln(os.Stderr, " bash "+installScriptTempPath) } From 996ea42434cba544ff39feaf2e7dfc25da2c2fbb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Jul 2026 00:10:51 +0000 Subject: [PATCH 14/21] fix(security): add runtime input validation to sha256CheckLine - Validate digest with sha256HexRegex at call time (not just via doc contract) - Validate path with strings.ContainsAny guard against shell metacharacters - Both checks return empty string on invalid input, preventing injection Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index 82adc56916e..a110f85188e 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -51,11 +51,15 @@ func resolveInstallScriptSHA256(ctx context.Context, commitSHA string) string { } // sha256CheckLine returns a YAML-indented shell command (with trailing newline) that verifies -// digest against path using sha256sum. Returns an empty string if digest is empty. -// Both parameters must be pre-validated: digest via sha256HexRegex ([0-9a-f]{64}) and path -// must be a safe filesystem path (e.g., the installScriptTempPath constant). +// digest against path using sha256sum. Returns an empty string if either parameter is invalid. +// digest must be a 64-char lowercase hex string (sha256HexRegex); path must contain only +// safe filesystem characters (no spaces, quotes, or shell metacharacters). func sha256CheckLine(digest, path string) string { - if digest == "" { + if !sha256HexRegex.MatchString(digest) { + return "" + } + if path == "" || strings.ContainsAny(path, " \t\n\"'\\$`;&|<>(){}") { + copilotSetupLog.Printf("sha256CheckLine: unsafe path %q, skipping", path) return "" } return fmt.Sprintf(` echo "%s %s" | sha256sum -c -`+"\n", digest, path) From 9b9b24e7a92afa1270ea132dd3d4ec689aaf496c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Jul 2026 00:14:55 +0000 Subject: [PATCH 15/21] fix: add wildcards to path validation in sha256CheckLine; remove redundant hex check - Add *? to strings.ContainsAny guard in sha256CheckLine - Remove always-true sha256HexRegex check after hex.EncodeToString in resolveInstallScriptSHA256 Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index a110f85188e..ac80f65c1e7 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -42,12 +42,7 @@ func resolveInstallScriptSHA256(ctx context.Context, commitSHA string) string { return "" } h := sha256.Sum256(res.Body) - digest := hex.EncodeToString(h[:]) - if !sha256HexRegex.MatchString(digest) { - copilotSetupLog.Printf("resolveInstallScriptSHA256: unexpected digest format %q", digest) - return "" - } - return digest + return hex.EncodeToString(h[:]) } // sha256CheckLine returns a YAML-indented shell command (with trailing newline) that verifies @@ -58,7 +53,7 @@ func sha256CheckLine(digest, path string) string { if !sha256HexRegex.MatchString(digest) { return "" } - if path == "" || strings.ContainsAny(path, " \t\n\"'\\$`;&|<>(){}") { + if path == "" || strings.ContainsAny(path, " \t\n\"'\\$`;&|<>(){}*?") { copilotSetupLog.Printf("sha256CheckLine: unsafe path %q, skipping", path) return "" } From 61e010978bcc503e344768b0d4863fe5f1056531 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Jul 2026 06:28:58 +0000 Subject: [PATCH 16/21] refactor(security): extract static SHA/hash constants; add update-install-script-hashes.sh Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/copilot_setup.go | 25 +++++++--- scripts/update-install-script-hashes.sh | 65 +++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 8 deletions(-) create mode 100755 scripts/update-install-script-hashes.sh diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index ac80f65c1e7..2926fd92309 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -24,6 +24,15 @@ var copilotSetupLog = logger.New("cli:copilot_setup") // installScriptTempPath is the temporary file path used for the downloaded gh-aw install script. const installScriptTempPath = "/tmp/gh-aw/install-gh-aw.sh" +// copilotSetupStepsStaticSHA is the pinned commit SHA of install-gh-aw.sh used in the static +// YAML test template and as the fallback when ResolveGhAwRef is unavailable. +// Run scripts/update-install-script-hashes.sh to refresh both this value and copilotSetupStepsStaticSHA256. +const copilotSetupStepsStaticSHA = "21a6827c430f89d3b7443074cfc8bd25b84d278f" + +// copilotSetupStepsStaticSHA256 is the SHA256 hex digest of install-gh-aw.sh at copilotSetupStepsStaticSHA. +// Run scripts/update-install-script-hashes.sh to refresh both this value and copilotSetupStepsStaticSHA. +const copilotSetupStepsStaticSHA256 = "248ccebcb998c6a506548156e1bf9f02429cbbaec407d5adbdfd316ab0f866a0" + // sha256HexRegex matches a valid lowercase SHA256 hex digest (exactly 64 hex chars). var sha256HexRegex = regexp.MustCompile(`^[0-9a-f]{64}$`) @@ -164,10 +173,10 @@ jobs: } // copilotSetupStepsYAML is a static dev-mode template used only for YAML validity tests. -// The URL is pinned to an immutable commit SHA as a representative example; the runtime -// function generateCopilotSetupStepsYAML resolves the ref dynamically via ResolveGhAwRef. -// NOTE: The temp path used here must match the installScriptTempPath constant. -const copilotSetupStepsYAML = `name: "Copilot Setup Steps" +// It is built from copilotSetupStepsStaticSHA and copilotSetupStepsStaticSHA256 so that +// scripts/update-install-script-hashes.sh can refresh both values in a single place. +// The runtime function generateCopilotSetupStepsYAML resolves the ref dynamically via ResolveGhAwRef. +var copilotSetupStepsYAML = fmt.Sprintf(`name: "Copilot Setup Steps" # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server on: @@ -190,10 +199,10 @@ jobs: - name: Install gh-aw extension run: | mkdir -p /tmp/gh-aw - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/21a6827c430f89d3b7443074cfc8bd25b84d278f/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh - echo "248ccebcb998c6a506548156e1bf9f02429cbbaec407d5adbdfd316ab0f866a0 /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c - - bash /tmp/gh-aw/install-gh-aw.sh -` + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh -o %s + echo "%s %s" | sha256sum -c - + bash %s +`, copilotSetupStepsStaticSHA, installScriptTempPath, copilotSetupStepsStaticSHA256, installScriptTempPath, installScriptTempPath) // CopilotWorkflowStep represents a GitHub Actions workflow step for Copilot setup scaffolding type CopilotWorkflowStep struct { diff --git a/scripts/update-install-script-hashes.sh b/scripts/update-install-script-hashes.sh new file mode 100755 index 00000000000..3fdb44f8a1c --- /dev/null +++ b/scripts/update-install-script-hashes.sh @@ -0,0 +1,65 @@ +#!/bin/bash +set +o histexpand + +# Updates copilotSetupStepsStaticSHA and copilotSetupStepsStaticSHA256 in +# pkg/cli/copilot_setup.go to the current HEAD commit of the main branch. +# +# Usage: +# scripts/update-install-script-hashes.sh +# +# Requirements: gh (GitHub CLI, authenticated), sha256sum (coreutils), curl, sed +# +# Environment Variables: +# GITHUB_TOKEN - Optional. GitHub token for authentication (used by gh CLI). +set -euo pipefail + +REPO="github/gh-aw" +FILE="pkg/cli/copilot_setup.go" + +# Accept a GITHUB_TOKEN forwarded from CI +if [ -n "${GITHUB_TOKEN:-}" ]; then + export GH_TOKEN="$GITHUB_TOKEN" +fi + +if ! command -v gh &>/dev/null; then + echo "error: GitHub CLI (gh) not found. Install it from https://cli.github.com" >&2 + exit 1 +fi + +echo "Resolving HEAD SHA of ${REPO} main branch..." +NEW_SHA=$(gh api "repos/${REPO}/commits/main" --jq '.sha') +if [ -z "$NEW_SHA" ] || [ "${#NEW_SHA}" -ne 40 ]; then + echo "error: could not resolve main HEAD SHA (got: '${NEW_SHA}')" >&2 + exit 1 +fi +echo " HEAD SHA: ${NEW_SHA}" + +SCRIPT_URL="https://raw.githubusercontent.com/${REPO}/${NEW_SHA}/install-gh-aw.sh" +echo "Downloading install-gh-aw.sh at ${NEW_SHA}..." +TMPFILE=$(mktemp /tmp/install-gh-aw-XXXXXX.sh) +trap 'rm -f "$TMPFILE"' EXIT +curl -fsSL "$SCRIPT_URL" -o "$TMPFILE" + +NEW_SHA256=$(sha256sum "$TMPFILE" | awk '{print $1}') +if [ -z "$NEW_SHA256" ] || [ "${#NEW_SHA256}" -ne 64 ]; then + echo "error: could not compute SHA256 (got: '${NEW_SHA256}')" >&2 + exit 1 +fi +echo " SHA256: ${NEW_SHA256}" + +OLD_SHA=$(grep 'copilotSetupStepsStaticSHA = ' "$FILE" | sed 's/.*"\([^"]*\)".*/\1/') +OLD_SHA256=$(grep 'copilotSetupStepsStaticSHA256 = ' "$FILE" | sed 's/.*"\([^"]*\)".*/\1/') + +if [ "$OLD_SHA" = "$NEW_SHA" ] && [ "$OLD_SHA256" = "$NEW_SHA256" ]; then + echo "No changes needed — values are already up to date." + exit 0 +fi + +echo "Updating ${FILE}..." +sed -i \ + -e "s|copilotSetupStepsStaticSHA = \"[0-9a-f]*\"|copilotSetupStepsStaticSHA = \"${NEW_SHA}\"|" \ + -e "s|copilotSetupStepsStaticSHA256 = \"[0-9a-f]*\"|copilotSetupStepsStaticSHA256 = \"${NEW_SHA256}\"|" \ + "$FILE" + +echo "Done. Review the diff and commit:" +echo " git diff ${FILE}" From b8c27648c39c6846eb57cb66ad81c10287336a99 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Jul 2026 06:46:42 +0000 Subject: [PATCH 17/21] feat(makefile): add sync-install-script-hashes target and wire into update Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- Makefile | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Makefile b/Makefile index 88a141ab5ec..da1bdbe9628 100644 --- a/Makefile +++ b/Makefile @@ -1013,6 +1013,13 @@ sync-action-scripts: @chmod +x actions/setup-cli/install.sh @echo "✓ Action scripts synced successfully" +# Sync install-gh-aw.sh SHA/hash constants in pkg/cli/copilot_setup.go +.PHONY: sync-install-script-hashes +sync-install-script-hashes: + @echo "Updating install-gh-aw.sh SHA and SHA256 constants..." + @bash scripts/update-install-script-hashes.sh + @echo "✓ Install script hashes synced successfully" + # Recompile all workflow files .PHONY: recompile recompile: build @@ -1052,6 +1059,7 @@ dependabot: build update: build ./$(BINARY_NAME) update $(MAKE) sync-action-pins + $(MAKE) sync-install-script-hashes $(MAKE) build # Run development server @@ -1190,6 +1198,7 @@ help: @echo " install - Install binary locally" @echo " sync-action-pins - Sync actions-lock.json from .github/aw to pkg/actionpins/data and pkg/workflow/data (runs automatically during build)" @echo " sync-action-scripts - Sync install-gh-aw.sh to actions/setup-cli/install.sh (runs automatically during build)" + @echo " sync-install-script-hashes - Update install-gh-aw.sh SHA and SHA256 constants in pkg/cli/copilot_setup.go (runs automatically during update)" @echo " update - Update GitHub Actions and workflows, sync action pins, and rebuild binary" @echo " fix - Apply automatic codemod-style fixes to workflow files (depends on build)" @echo " recompile - Recompile all workflow files (runs init, depends on build)" From 1512d2b742ed715415dcac2d0abf9b87c64478f4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Jul 2026 08:35:44 +0000 Subject: [PATCH 18/21] merge: update from main and recompile lock files (firewall bump to 0.27.26) Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .../workflows/daily-byok-ollama-test.lock.yml | 13 ++++++++++--- .github/workflows/smoke-codex.lock.yml | 16 +++++++++++++--- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/.github/workflows/daily-byok-ollama-test.lock.yml b/.github/workflows/daily-byok-ollama-test.lock.yml index 4d6c3db2a9e..fb07116059c 100644 --- a/.github/workflows/daily-byok-ollama-test.lock.yml +++ b/.github/workflows/daily-byok-ollama-test.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"eee569f9fae2a93ae15390081598db67ecce6bb925746a1efcc2137e5d82fdde","body_hash":"bd80ca99e3f4cd56715c7a73bd9f5c56165dc64beee430b859670700764082f0","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.68"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"92a633df2d6b6105c26057412bc3df6371091bbf0c1018517abcd8015e274086","body_hash":"bd80ca99e3f4cd56715c7a73bd9f5c56165dc64beee430b859670700764082f0","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.68"}} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.26","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.26@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.26","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.26@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.26","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.26@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -446,9 +446,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh" env: GH_TOKEN: ${{ github.token }} - - name: Install Ollama + - env: + OLLAMA_INSTALL_SHA256: 25f64b810b947145095956533e1bdf56eacea2673c55a7e586be4515fc882c9f + OLLAMA_VERSION: 0.31.1 + name: Install Ollama run: | - curl -fsSL https://ollama.com/install.sh | sh + echo "Downloading Ollama v${OLLAMA_VERSION} install script..." + mkdir -p /tmp/gh-aw + curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/gh-aw/ollama-install.sh + echo "${OLLAMA_INSTALL_SHA256} /tmp/gh-aw/ollama-install.sh" | sha256sum -c - + bash /tmp/gh-aw/ollama-install.sh - name: Generate Ollama API key run: | OLLAMA_API_KEY="$(openssl rand -hex 16)" diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 490376d2d70..9405573f661 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"f4c25dc4e3ebaa00201eec60464e37b5d059d7c2c14344ad95baab84851c84c8","body_hash":"fae212c4ff39a682e3254fae440084a2152282e383467ff3f0c15fb9d2d69411","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"b1584c2862c71b94968843ff97149d2dfd8b6d9e66c14bd7dbfbe0c1af4c124b","body_hash":"fae212c4ff39a682e3254fae440084a2152282e383467ff3f0c15fb9d2d69411","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} # gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions-ecosystem/action-add-labels","sha":"c96b68fec76a0987cd93957189e9abd0b9a72ff1","version":"v1.1.3"},{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"924ae3a1cded613372ab5595356fb5720e22ba16","version":"v6.5.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.26","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.26@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.26","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.26@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.26","digest":"sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.26@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.26","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.26@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"},{"image":"ghcr.io/github/serena-mcp-server:latest","digest":"sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5","pinned_image":"ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -2415,10 +2415,20 @@ jobs: - name: Install TruffleHog id: install-trufflehog run: | - echo "Installing TruffleHog v${TRUFFLEHOG_VERSION}..." - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "v${TRUFFLEHOG_VERSION}" + ARCH=$(uname -m) + if [ "$ARCH" != "x86_64" ]; then + echo "::error::TruffleHog installation only supports x86_64 (linux_amd64); detected $ARCH. Self-hosted ARM runners must install TruffleHog separately." + exit 1 + fi + echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." + mkdir -p /tmp/gh-aw + curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz + # SHA256 covers the .tar.gz archive; the binary is extracted from the verified archive + echo "${TRUFFLEHOG_SHA256} /tmp/gh-aw/trufflehog.tar.gz" | sha256sum -c - + sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz --no-same-owner -C /usr/local/bin trufflehog trufflehog --version env: + TRUFFLEHOG_SHA256: e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7 TRUFFLEHOG_VERSION: 3.88.27 - name: Scan agent output for secrets id: scan-agent-output From 0ab68ade408d7abbef4ef7c9035852929604ee4c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 02:29:38 +0000 Subject: [PATCH 19/21] test: add init command tests for new download+verify syntax (RGS-018) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/copilot_setup_test.go | 118 +++++++++++++++++++++++++++++++++- 1 file changed, 117 insertions(+), 1 deletion(-) diff --git a/pkg/cli/copilot_setup_test.go b/pkg/cli/copilot_setup_test.go index 1ef35059af9..a9452d9faab 100644 --- a/pkg/cli/copilot_setup_test.go +++ b/pkg/cli/copilot_setup_test.go @@ -80,6 +80,40 @@ func TestEnsureCopilotSetupSteps(t *testing.T) { } }, }, + { + name: "skips update when new download+verify install already exists", + existingWorkflow: &Workflow{ + Name: "Copilot Setup Steps", + On: "workflow_dispatch", + Jobs: map[string]WorkflowJob{ + "copilot-setup-steps": { + RunsOn: "ubuntu-latest", + Steps: []CopilotWorkflowStep{ + { + Name: "Install gh-aw extension", + Run: "mkdir -p /tmp/gh-aw\n" + + "curl -fsSL https://raw.githubusercontent.com/github/gh-aw/" + copilotSetupStepsStaticSHA + "/install-gh-aw.sh -o " + installScriptTempPath + "\n" + + "echo \"" + copilotSetupStepsStaticSHA256 + " " + installScriptTempPath + "\" | sha256sum -c -\n" + + "bash " + installScriptTempPath, + }, + }, + }, + }, + }, + verbose: true, + wantErr: false, + validateContent: func(t *testing.T, content []byte) { + // File should remain unchanged when download+verify syntax is already present + count := strings.Count(string(content), "Install gh-aw extension") + if count != 1 { + t.Errorf("Expected exactly 1 occurrence of 'Install gh-aw extension', got %d", count) + } + // sha256sum check should be preserved + if !strings.Contains(string(content), "sha256sum") { + t.Error("Expected sha256sum check to be preserved in existing download+verify file") + } + }, + }, { name: "renders instructions for existing workflow without install step", existingWorkflow: &Workflow{ @@ -265,16 +299,29 @@ func TestCopilotSetupStepsYAMLConstant(t *testing.T) { // Verify it has the extension install step hasExtensionInstall := false + hasSecurePattern := false for _, step := range job.Steps { if strings.Contains(step.Run, "install-gh-aw.sh") || strings.Contains(step.Run, "curl -fsSL") { hasExtensionInstall = true - break + } + // Secure pattern: download to temp file (-o ) AND sha256sum integrity check + if strings.Contains(step.Run, " -o ") && strings.Contains(step.Run, "sha256sum") { + hasSecurePattern = true + } + // Ensure no direct curl|bash pipe on the same line (RGS-018 security issue) + for _, line := range strings.Split(step.Run, "\n") { + if strings.Contains(line, "curl") && strings.Contains(line, "| bash") { + t.Errorf("Template must not use curl|bash direct pipe pattern on line %q (RGS-018 security issue)", line) + } } } if !hasExtensionInstall { t.Error("Expected copilotSetupStepsYAML to contain extension install step with bash script") } + if !hasSecurePattern { + t.Error("Expected copilotSetupStepsYAML to use download-to-file (-o) with sha256sum integrity verification (RGS-018 fix)") + } // Verify it does NOT have checkout, Go setup or build steps (for universal use) for _, step := range job.Steps { @@ -611,6 +658,15 @@ func TestEnsureCopilotSetupSteps_CreateWithDevMode(t *testing.T) { if strings.Contains(contentStr, "actions/checkout") { t.Errorf("Did not expect checkout step in dev mode") } + // Verify download-to-file pattern (not direct curl pipe) + for _, line := range strings.Split(contentStr, "\n") { + if strings.Contains(line, "curl") && strings.Contains(line, "| bash") { + t.Errorf("Expected download-to-file pattern, not direct curl|bash pipe on line %q (RGS-018 security fix)", line) + } + } + if !strings.Contains(contentStr, "-o "+installScriptTempPath) { + t.Errorf("Expected download to temp file %s in dev mode", installScriptTempPath) + } } func TestEnsureCopilotSetupSteps_UsesWorkflowDirEnvOverride(t *testing.T) { @@ -888,6 +944,66 @@ jobs: } } +// TestEnsureCopilotSetupSteps_SkipsUpdateWhenDownloadVerifyExists tests that update is skipped +// when the new download+verify syntax (RGS-018 fix) already exists in the file. +func TestEnsureCopilotSetupSteps_SkipsUpdateWhenDownloadVerifyExists(t *testing.T) { + tmpDir := t.TempDir() + originalDir, err := os.Getwd() + if err != nil { + t.Fatalf("Failed to get current directory: %v", err) + } + defer func() { _ = os.Chdir(originalDir) }() + + if err := os.Chdir(tmpDir); err != nil { + t.Fatalf("Failed to change to temp directory: %v", err) + } + + // Create .github/workflows directory + workflowsDir := filepath.Join(".github", "workflows") + if err := os.MkdirAll(workflowsDir, 0755); err != nil { + t.Fatalf("Failed to create workflows directory: %v", err) + } + + // Write existing workflow WITH the new download+verify syntax (no direct curl|bash pipe) + existingContent := "name: \"Copilot Setup Steps\"\n" + + "on: workflow_dispatch\n" + + "jobs:\n" + + " copilot-setup-steps:\n" + + " runs-on: ubuntu-latest\n" + + " steps:\n" + + " - name: Install gh-aw extension\n" + + " run: |\n" + + " mkdir -p /tmp/gh-aw\n" + + " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/" + copilotSetupStepsStaticSHA + "/install-gh-aw.sh -o " + installScriptTempPath + "\n" + + " echo \"" + copilotSetupStepsStaticSHA256 + " " + installScriptTempPath + "\" | sha256sum -c -\n" + + " bash " + installScriptTempPath + "\n" + + setupStepsPath := filepath.Join(workflowsDir, "copilot-setup-steps.yml") + if err := os.WriteFile(setupStepsPath, []byte(existingContent), 0644); err != nil { + t.Fatalf("Failed to write existing workflow: %v", err) + } + + // Attempt to update - should skip since install step already exists + err = ensureCopilotSetupSteps(context.Background(), false, workflow.ActionModeDev, "dev") + if err != nil { + t.Fatalf("ensureCopilotSetupSteps(context.Background()) failed: %v", err) + } + + // Verify file content is unchanged (download+verify syntax is recognized as already configured) + content, err := os.ReadFile(setupStepsPath) + if err != nil { + t.Fatalf("Failed to read file: %v", err) + } + + if string(content) != existingContent { + t.Errorf("Expected file to remain unchanged when download+verify syntax already present,\ngot:\n%s", string(content)) + } + // Confirm sha256sum check is still there + if !strings.Contains(string(content), "sha256sum") { + t.Error("Expected sha256sum integrity check to be preserved") + } +} + // TestUpgradeCopilotSetupSteps tests upgrading version in existing copilot-setup-steps.yml func TestUpgradeCopilotSetupSteps(t *testing.T) { tmpDir := t.TempDir() From 8a1e3a5412ab2f6287ac22aed3cff785deade0e3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 02:46:57 +0000 Subject: [PATCH 20/21] fix(lint): use strings.SplitSeq in range loops (modernize) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/copilot_setup_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/cli/copilot_setup_test.go b/pkg/cli/copilot_setup_test.go index a9452d9faab..171f569c9d9 100644 --- a/pkg/cli/copilot_setup_test.go +++ b/pkg/cli/copilot_setup_test.go @@ -309,7 +309,7 @@ func TestCopilotSetupStepsYAMLConstant(t *testing.T) { hasSecurePattern = true } // Ensure no direct curl|bash pipe on the same line (RGS-018 security issue) - for _, line := range strings.Split(step.Run, "\n") { + for line := range strings.SplitSeq(step.Run, "\n") { if strings.Contains(line, "curl") && strings.Contains(line, "| bash") { t.Errorf("Template must not use curl|bash direct pipe pattern on line %q (RGS-018 security issue)", line) } @@ -659,7 +659,7 @@ func TestEnsureCopilotSetupSteps_CreateWithDevMode(t *testing.T) { t.Errorf("Did not expect checkout step in dev mode") } // Verify download-to-file pattern (not direct curl pipe) - for _, line := range strings.Split(contentStr, "\n") { + for line := range strings.SplitSeq(contentStr, "\n") { if strings.Contains(line, "curl") && strings.Contains(line, "| bash") { t.Errorf("Expected download-to-file pattern, not direct curl|bash pipe on line %q (RGS-018 security fix)", line) } From 6555a449ef9d5df03bbd68f7f4c266f7d33a2899 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 04:19:33 +0000 Subject: [PATCH 21/21] merge: update from main, recompile all lock files Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .github/workflows/ab-testing-advisor.lock.yml | 7 +++-- .../agent-performance-analyzer.lock.yml | 10 +++---- .../workflows/agent-persona-explorer.lock.yml | 10 +++---- .../agentic-token-optimizer.lock.yml | 7 +++-- .github/workflows/ai-moderator.lock.yml | 7 +++-- .github/workflows/approach-validator.lock.yml | 7 +++-- .github/workflows/archie.lock.yml | 10 +++---- .github/workflows/artifacts-summary.lock.yml | 7 +++-- .github/workflows/auto-triage-issues.lock.yml | 7 +++-- .github/workflows/avenger.lock.yml | 7 +++-- .../aw-failure-investigator.lock.yml | 10 +++---- .github/workflows/bot-detection.lock.yml | 7 +++-- .../breaking-change-checker.lock.yml | 7 +++-- .../workflows/chaos-pr-bundle-fuzzer.lock.yml | 7 +++-- .github/workflows/ci-coach.lock.yml | 7 +++-- .github/workflows/ci-doctor.lock.yml | 7 +++-- .../claude-code-user-docs-review.lock.yml | 7 +++-- .../workflows/code-scanning-fixer.lock.yml | 7 +++-- .github/workflows/code-simplifier.lock.yml | 7 +++-- .../codex-github-remote-mcp-test.lock.yml | 7 +++-- .../commit-changes-analyzer.lock.yml | 7 +++-- .github/workflows/contribution-check.lock.yml | 7 +++-- .../workflows/copilot-agent-analysis.lock.yml | 7 +++-- .../copilot-cli-deep-research.lock.yml | 7 +++-- .github/workflows/copilot-opt.lock.yml | 7 +++-- .../copilot-pr-nlp-analysis.lock.yml | 7 +++-- .../copilot-pr-prompt-analysis.lock.yml | 7 +++-- .../copilot-session-insights.lock.yml | 7 +++-- .github/workflows/craft.lock.yml | 7 +++-- ...aily-agent-of-the-day-blog-writer.lock.yml | 10 +++---- .../daily-ambient-context-optimizer.lock.yml | 10 +++---- .../daily-assign-issue-to-user.lock.yml | 7 +++-- ...daily-aw-cross-repo-compile-check.lock.yml | 7 +++-- ...daily-awf-spec-compiler-surfacing.lock.yml | 7 +++-- .../daily-cache-strategy-analyzer.lock.yml | 10 +++---- .../daily-caveman-optimizer.lock.yml | 7 +++-- .github/workflows/daily-choice-test.lock.yml | 7 +++-- .../workflows/daily-cli-performance.lock.yml | 10 +++---- .github/workflows/daily-code-metrics.lock.yml | 7 +++-- .../daily-community-attribution.lock.yml | 7 +++-- .../workflows/daily-compiler-quality.lock.yml | 10 +++---- ...ly-compiler-threat-spec-optimizer.lock.yml | 7 +++-- .github/workflows/daily-doc-healer.lock.yml | 7 +++-- .github/workflows/daily-doc-updater.lock.yml | 7 +++-- .../daily-experiment-report.lock.yml | 7 +++-- .github/workflows/daily-fact.lock.yml | 10 +++---- .github/workflows/daily-file-diet.lock.yml | 10 +++---- .../workflows/daily-firewall-report.lock.yml | 10 +++---- .../daily-formal-spec-verifier.lock.yml | 7 +++-- .../workflows/daily-function-namer.lock.yml | 10 +++---- .../workflows/daily-geo-optimizer.lock.yml | 7 +++-- .github/workflows/daily-hippo-learn.lock.yml | 10 +++---- .../workflows/daily-issues-report.lock.yml | 7 +++-- .../daily-malicious-code-scan.lock.yml | 7 +++-- .../daily-mcp-concurrency-analysis.lock.yml | 10 +++---- .../workflows/daily-model-inventory.lock.yml | 7 +++-- .../workflows/daily-model-resolution.lock.yml | 10 +++---- .../daily-multi-device-docs-tester.lock.yml | 7 +++-- .github/workflows/daily-news.lock.yml | 13 ++++------ .../daily-observability-report.lock.yml | 10 +++---- .../daily-performance-summary.lock.yml | 10 +++---- .github/workflows/daily-regulatory.lock.yml | 10 +++---- .../daily-reliability-review.lock.yml | 10 +++---- .../daily-rendering-scripts-verifier.lock.yml | 10 +++---- .../workflows/daily-repo-chronicle.lock.yml | 7 +++-- .../daily-safe-output-integrator.lock.yml | 7 +++-- .../daily-safe-outputs-conformance.lock.yml | 7 +++-- .../daily-safeoutputs-git-simulator.lock.yml | 7 +++-- .../workflows/daily-secrets-analysis.lock.yml | 7 +++-- .../daily-security-observability.lock.yml | 10 +++---- .../daily-security-red-team.lock.yml | 7 +++-- .github/workflows/daily-semgrep-scan.lock.yml | 10 +++---- .../daily-spdd-spec-planner.lock.yml | 7 +++-- .../daily-team-evolution-insights.lock.yml | 7 +++-- .github/workflows/daily-team-status.lock.yml | 7 +++-- .../daily-testify-uber-super-expert.lock.yml | 10 +++---- ...dows-terminal-integration-builder.lock.yml | 7 +++-- .../workflows/daily-workflow-updater.lock.yml | 7 +++-- .../workflows/daily-yamllint-fixer.lock.yml | 7 +++-- .../dataflow-pr-discussion-dataset.lock.yml | 7 +++-- .github/workflows/dead-code-remover.lock.yml | 7 +++-- .github/workflows/deep-report.lock.yml | 13 ++++------ .github/workflows/delight.lock.yml | 7 +++-- .github/workflows/dependabot-burner.lock.yml | 7 +++-- .../workflows/dependabot-go-checker.lock.yml | 7 +++-- .github/workflows/dependabot-repair.lock.yml | 7 +++-- .../deployment-incident-monitor.lock.yml | 7 +++-- .../workflows/design-decision-gate.lock.yml | 7 +++-- .../workflows/designer-drift-audit.lock.yml | 7 +++-- .github/workflows/dev-hawk.lock.yml | 10 +++---- .github/workflows/dev.lock.yml | 7 +++-- .../developer-docs-consolidator.lock.yml | 10 +++---- .github/workflows/dictation-prompt.lock.yml | 7 +++-- .../workflows/discussion-task-miner.lock.yml | 7 +++-- .github/workflows/draft-pr-cleanup.lock.yml | 7 +++-- .github/workflows/eslint-miner.lock.yml | 7 +++-- .github/workflows/eslint-monster.lock.yml | 7 +++-- .github/workflows/eslint-refiner.lock.yml | 7 +++-- .../example-permissions-warning.lock.yml | 7 +++-- .../example-workflow-analyzer.lock.yml | 10 +++---- .github/workflows/firewall-escape.lock.yml | 7 +++-- .../workflows/functional-pragmatist.lock.yml | 7 +++-- .../github-mcp-structural-analysis.lock.yml | 7 +++-- .../github-mcp-tools-report.lock.yml | 7 +++-- .../github-remote-mcp-auth-test.lock.yml | 7 +++-- .../workflows/glossary-maintainer.lock.yml | 10 +++---- .github/workflows/go-fan.lock.yml | 10 +++---- .github/workflows/go-logger.lock.yml | 7 +++-- .github/workflows/gpclean.lock.yml | 7 +++-- .github/workflows/grumpy-reviewer.lock.yml | 7 +++-- .github/workflows/hippo-embed.lock.yml | 10 +++---- .github/workflows/hourly-ci-cleaner.lock.yml | 7 +++-- .../impeccable-skills-reviewer.lock.yml | 7 +++-- .../workflows/instructions-janitor.lock.yml | 7 +++-- .github/workflows/issue-arborist.lock.yml | 7 +++-- .github/workflows/issue-monster.lock.yml | 7 +++-- .github/workflows/issue-triage-agent.lock.yml | 7 +++-- .github/workflows/jsweep.lock.yml | 7 +++-- .../workflows/layout-spec-maintainer.lock.yml | 7 +++-- .github/workflows/lint-monster.lock.yml | 7 +++-- .github/workflows/linter-miner.lock.yml | 10 +++---- .../mattpocock-skills-reviewer.lock.yml | 7 +++-- .github/workflows/mergefest.lock.yml | 7 +++-- .github/workflows/metrics-collector.lock.yml | 10 +++---- .github/workflows/necromancer.lock.yml | 7 +++-- .../workflows/notion-issue-summary.lock.yml | 10 +++---- .../objective-impact-report.lock.yml | 7 +++-- .github/workflows/org-health-report.lock.yml | 7 +++-- .github/workflows/outcome-collector.lock.yml | 7 +++-- .github/workflows/plan.lock.yml | 7 +++-- .github/workflows/poem-bot.lock.yml | 7 +++-- .../pr-code-quality-reviewer.lock.yml | 7 +++-- .../workflows/pr-description-caveman.lock.yml | 7 +++-- .../workflows/pr-nitpick-reviewer.lock.yml | 7 +++-- .github/workflows/pr-sous-chef.lock.yml | 7 +++-- .github/workflows/pr-triage-agent.lock.yml | 7 +++-- .../prompt-clustering-analysis.lock.yml | 10 +++---- .github/workflows/q.lock.yml | 10 +++---- .../workflows/refactoring-cadence.lock.yml | 7 +++-- .github/workflows/refiner.lock.yml | 7 +++-- .../workflows/repo-audit-analyzer.lock.yml | 7 +++-- .../repository-quality-improver.lock.yml | 7 +++-- .github/workflows/ruflo-backed-task.lock.yml | 10 +++---- .../schema-consistency-checker.lock.yml | 7 +++-- .../schema-feature-coverage.lock.yml | 7 +++-- .github/workflows/scout.lock.yml | 22 ++++++---------- .../workflows/security-compliance.lock.yml | 7 +++-- .github/workflows/security-review.lock.yml | 10 +++---- .../semantic-function-refactor.lock.yml | 10 +++---- .github/workflows/sergo.lock.yml | 10 +++---- .github/workflows/skillet.lock.yml | 7 +++-- .../workflows/smoke-agent-all-merged.lock.yml | 7 +++-- .../workflows/smoke-agent-all-none.lock.yml | 7 +++-- .../smoke-agent-public-approved.lock.yml | 7 +++-- .../smoke-agent-public-none.lock.yml | 7 +++-- .../smoke-agent-scoped-approved.lock.yml | 7 +++-- .github/workflows/smoke-antigravity.lock.yml | 7 +++-- .github/workflows/smoke-ci.lock.yml | 7 +++-- .../smoke-claude-on-copilot.lock.yml | 7 +++-- .github/workflows/smoke-claude.lock.yml | 16 +++++------- .github/workflows/smoke-codex.lock.yml | 26 ++++++++++++------- .../smoke-copilot-aoai-apikey.lock.yml | 16 +++++------- .../smoke-copilot-aoai-entra.lock.yml | 16 +++++------- .github/workflows/smoke-copilot-arm.lock.yml | 16 +++++------- .github/workflows/smoke-copilot.lock.yml | 16 +++++------- .../smoke-create-cross-repo-pr.lock.yml | 7 +++-- .github/workflows/smoke-crush.lock.yml | 7 +++-- .github/workflows/smoke-gemini.lock.yml | 7 +++-- .github/workflows/smoke-opencode.lock.yml | 7 +++-- .../workflows/smoke-otel-backends.lock.yml | 16 +++++------- .github/workflows/smoke-pi.lock.yml | 7 +++-- .github/workflows/smoke-project.lock.yml | 7 +++-- .../smoke-update-cross-repo-pr.lock.yml | 7 +++-- .github/workflows/spec-enforcer.lock.yml | 7 +++-- .github/workflows/spec-extractor.lock.yml | 10 +++---- .github/workflows/spec-librarian.lock.yml | 10 +++---- .github/workflows/stale-pr-cleanup.lock.yml | 7 +++-- .../workflows/stale-repo-identifier.lock.yml | 7 +++-- .../workflows/static-analysis-report.lock.yml | 10 +++---- .../workflows/step-name-alignment.lock.yml | 7 +++-- .github/workflows/sub-issue-closer.lock.yml | 7 +++-- .../workflows/technical-doc-writer.lock.yml | 7 +++-- .github/workflows/terminal-stylist.lock.yml | 10 +++---- .github/workflows/tidy.lock.yml | 7 +++-- .github/workflows/typist.lock.yml | 10 +++---- .../workflows/ubuntu-image-analyzer.lock.yml | 7 +++-- .../uk-ai-operational-resilience.lock.yml | 7 +++-- .github/workflows/unbloat-docs.lock.yml | 7 +++-- .../weekly-blog-post-writer.lock.yml | 10 +++---- .../workflows/weekly-issue-summary.lock.yml | 7 +++-- .../weekly-safe-outputs-spec-review.lock.yml | 7 +++-- .github/workflows/workflow-generator.lock.yml | 7 +++-- .../workflow-health-manager.lock.yml | 7 +++-- .../workflows/workflow-normalizer.lock.yml | 10 +++---- 194 files changed, 669 insertions(+), 927 deletions(-) diff --git a/.github/workflows/ab-testing-advisor.lock.yml b/.github/workflows/ab-testing-advisor.lock.yml index 497af443a01..bd7457eb82e 100644 --- a/.github/workflows/ab-testing-advisor.lock.yml +++ b/.github/workflows/ab-testing-advisor.lock.yml @@ -730,7 +730,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -760,8 +760,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -778,7 +777,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index da0a3664e42..10f6de2e1bd 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -885,7 +885,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9766857743be0a44_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -903,8 +903,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -936,8 +935,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -954,7 +952,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF + GH_AW_MCP_CONFIG_9766857743be0a44_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index d769290b311..74c0c836e48 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -834,7 +834,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4759c488eff9016_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -851,8 +851,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -883,8 +882,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -901,7 +899,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF + GH_AW_MCP_CONFIG_d4759c488eff9016_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/agentic-token-optimizer.lock.yml b/.github/workflows/agentic-token-optimizer.lock.yml index 68821af824f..f36191e9ffe 100644 --- a/.github/workflows/agentic-token-optimizer.lock.yml +++ b/.github/workflows/agentic-token-optimizer.lock.yml @@ -728,7 +728,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_f185f50466326598_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -759,8 +759,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -772,7 +771,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF + GH_AW_MCP_CONFIG_f185f50466326598_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 134705d4095..69f0e6b3aea 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -820,7 +820,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_df4f2aaa827bdf05_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_2b7e096ace93f2f0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -868,8 +868,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -886,7 +885,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_df4f2aaa827bdf05_EOF + GH_AW_MCP_CONFIG_2b7e096ace93f2f0_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/approach-validator.lock.yml b/.github/workflows/approach-validator.lock.yml index dc8b4e77a3a..2b1318fdd96 100644 --- a/.github/workflows/approach-validator.lock.yml +++ b/.github/workflows/approach-validator.lock.yml @@ -809,7 +809,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -839,8 +839,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -857,7 +856,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index e6880ed7ff3..3c4f3b99a6c 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -753,7 +753,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -784,8 +784,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -814,8 +813,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -832,7 +830,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index a1c33723fc3..5d3f65bda7f 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -693,7 +693,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -724,8 +724,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -742,7 +741,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 18b1bf89c5c..ba59274d9bb 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -756,7 +756,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -786,8 +786,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -804,7 +803,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/avenger.lock.yml b/.github/workflows/avenger.lock.yml index 6205a992522..33ec08c7bb5 100644 --- a/.github/workflows/avenger.lock.yml +++ b/.github/workflows/avenger.lock.yml @@ -754,7 +754,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -784,8 +784,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -802,7 +801,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index 651d74f02f2..20be16fa1ad 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -903,7 +903,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4759c488eff9016_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -920,8 +920,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -952,8 +951,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -970,7 +968,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF + GH_AW_MCP_CONFIG_d4759c488eff9016_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index 74b36b0494f..1cbd6d44e85 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -783,7 +783,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -830,8 +830,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -848,7 +847,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index bf7bbfdd993..8bc3c93401b 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -754,7 +754,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -785,8 +785,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -803,7 +802,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml index 227090b45ff..a37f610561d 100644 --- a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml +++ b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml @@ -733,7 +733,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -763,8 +763,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -781,7 +780,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 2cb38d5a1cb..cb88ca7dd9b 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -812,7 +812,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -843,8 +843,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -861,7 +860,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 22c6a25170d..3613e7e6c6a 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -916,7 +916,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -946,8 +946,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -964,7 +963,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 1eaea832165..21690d72d40 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -729,7 +729,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -759,8 +759,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -777,7 +776,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 211f34ecf04..a228132e6a5 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -763,7 +763,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -794,8 +794,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -812,7 +811,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 68e857c041c..5a513c6b195 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -740,7 +740,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -771,8 +771,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -789,7 +788,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 3d635f22b85..d81552508c3 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -664,7 +664,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_a0d2d14689813628_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_3f68f79b95d51807_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -709,8 +709,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -727,7 +726,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_a0d2d14689813628_EOF + GH_AW_MCP_CONFIG_3f68f79b95d51807_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 9447987db84..1ad18df1076 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -697,7 +697,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -727,8 +727,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -745,7 +744,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 08c6e4ca406..89ab7a53002 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -838,7 +838,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -869,8 +869,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -887,7 +886,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index f7ec4a7bb13..05f51cf3269 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -805,7 +805,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -835,8 +835,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -853,7 +852,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index ed29e977b3c..0ba13f4921e 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -730,7 +730,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -761,8 +761,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -779,7 +778,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/copilot-opt.lock.yml b/.github/workflows/copilot-opt.lock.yml index 1ad4f8840cc..d909384084c 100644 --- a/.github/workflows/copilot-opt.lock.yml +++ b/.github/workflows/copilot-opt.lock.yml @@ -759,7 +759,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -790,8 +790,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -808,7 +807,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 330a0239b0a..61dc0a7cb5e 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -809,7 +809,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -856,8 +856,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -874,7 +873,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index a0194285899..eca8227109f 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -761,7 +761,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -808,8 +808,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -826,7 +825,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index fe6fe0fa08a..cd404de7499 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -813,7 +813,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -843,8 +843,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -861,7 +860,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 6851433cfda..ace622f1fec 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -775,7 +775,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -806,8 +806,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -824,7 +823,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index c74ebe5d345..cad4f8a6a13 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -827,7 +827,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_06bff4ae99b92834_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_16573538fa7590e4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -845,8 +845,7 @@ jobs: "write-sink": { "accept": [ "private:github/gh-aw" - ], - "sink-visibility": "public" + ] } } }, @@ -878,8 +877,7 @@ jobs: "write-sink": { "accept": [ "private:github/gh-aw" - ], - "sink-visibility": "public" + ] } } } @@ -896,7 +894,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_06bff4ae99b92834_EOF + GH_AW_MCP_CONFIG_16573538fa7590e4_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-ambient-context-optimizer.lock.yml b/.github/workflows/daily-ambient-context-optimizer.lock.yml index 577ac9cf6e1..d44ad406dec 100644 --- a/.github/workflows/daily-ambient-context-optimizer.lock.yml +++ b/.github/workflows/daily-ambient-context-optimizer.lock.yml @@ -792,7 +792,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9766857743be0a44_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -810,8 +810,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -843,8 +842,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -861,7 +859,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF + GH_AW_MCP_CONFIG_9766857743be0a44_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 1ea45a69adc..6caef4615a6 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -705,7 +705,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -736,8 +736,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -754,7 +753,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml index 5569d536f0c..fc6739a5e59 100644 --- a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml +++ b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml @@ -738,7 +738,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -768,8 +768,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -786,7 +785,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml b/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml index 58740ad3f02..5268391f569 100644 --- a/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml +++ b/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml @@ -725,7 +725,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -755,8 +755,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -773,7 +772,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index 633a70cc608..d7ea09542ba 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -912,7 +912,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4759c488eff9016_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -929,8 +929,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -961,8 +960,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -979,7 +977,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF + GH_AW_MCP_CONFIG_d4759c488eff9016_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/daily-caveman-optimizer.lock.yml b/.github/workflows/daily-caveman-optimizer.lock.yml index cb256d0cc4f..5e188c5a5b9 100644 --- a/.github/workflows/daily-caveman-optimizer.lock.yml +++ b/.github/workflows/daily-caveman-optimizer.lock.yml @@ -779,7 +779,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -809,8 +809,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -827,7 +826,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 95edc606a3a..923000a8990 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -699,7 +699,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -729,8 +729,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -747,7 +746,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 478bba1a09c..b1676c3a41f 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -948,7 +948,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_7b1cde96be66d27e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_981a997d5e8928ca_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "mcpscripts": { @@ -961,8 +961,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -994,8 +993,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1012,7 +1010,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_7b1cde96be66d27e_EOF + GH_AW_MCP_CONFIG_981a997d5e8928ca_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 53a6c4916a0..d99e9ad8d7a 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -836,7 +836,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -866,8 +866,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -884,7 +883,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 841fbe03378..b46bb2b9fe6 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -834,7 +834,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -865,8 +865,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -883,7 +882,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 828e9574714..bd2a9a2226d 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -770,7 +770,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -801,8 +801,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -831,8 +830,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -849,7 +847,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml index f94451ce127..b53d1151932 100644 --- a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml +++ b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml @@ -746,7 +746,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -777,8 +777,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -795,7 +794,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 424653fa855..8b8994af0e0 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -851,7 +851,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -881,8 +881,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -899,7 +898,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index eda4cf85eca..ae1a494afb7 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -774,7 +774,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -804,8 +804,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -822,7 +821,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-experiment-report.lock.yml b/.github/workflows/daily-experiment-report.lock.yml index 5d3670c9ef5..0ed01b557b4 100644 --- a/.github/workflows/daily-experiment-report.lock.yml +++ b/.github/workflows/daily-experiment-report.lock.yml @@ -811,7 +811,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_ac818393cef5ecb7_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_e3fc47e7afd0c68e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -858,8 +858,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -876,7 +875,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_ac818393cef5ecb7_EOF + GH_AW_MCP_CONFIG_e3fc47e7afd0c68e_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index f8c7dac1899..3a7bcbe42d7 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -911,7 +911,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_60409a33895dc52e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_3c0be2dc8b0c8872_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "mempalace": { @@ -942,8 +942,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -974,8 +973,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -992,7 +990,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_60409a33895dc52e_EOF + GH_AW_MCP_CONFIG_3c0be2dc8b0c8872_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 8a269706592..bfe90ba7b8a 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -722,7 +722,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -753,8 +753,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -783,8 +782,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -801,7 +799,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 6d3c292bb93..455820fa0df 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -752,7 +752,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9766857743be0a44_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -770,8 +770,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -803,8 +802,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -821,7 +819,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF + GH_AW_MCP_CONFIG_9766857743be0a44_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-formal-spec-verifier.lock.yml b/.github/workflows/daily-formal-spec-verifier.lock.yml index 10d2a76fb74..8f30b007a41 100644 --- a/.github/workflows/daily-formal-spec-verifier.lock.yml +++ b/.github/workflows/daily-formal-spec-verifier.lock.yml @@ -763,7 +763,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -794,8 +794,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -812,7 +811,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 29a0c8fcb6a..aa676eb572c 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -768,7 +768,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e0281624817c51e4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -798,8 +798,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -825,8 +824,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -843,7 +841,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e0281624817c51e4_EOF + GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-geo-optimizer.lock.yml b/.github/workflows/daily-geo-optimizer.lock.yml index c67359bcd75..f15eb673df6 100644 --- a/.github/workflows/daily-geo-optimizer.lock.yml +++ b/.github/workflows/daily-geo-optimizer.lock.yml @@ -748,7 +748,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -779,8 +779,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -797,7 +796,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-hippo-learn.lock.yml b/.github/workflows/daily-hippo-learn.lock.yml index e941473748a..1a0d004785c 100644 --- a/.github/workflows/daily-hippo-learn.lock.yml +++ b/.github/workflows/daily-hippo-learn.lock.yml @@ -864,7 +864,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b90aa044d0873b31_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_49d80a4c4fcddb3d_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "mcpscripts": { @@ -877,8 +877,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -909,8 +908,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -927,7 +925,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_b90aa044d0873b31_EOF + GH_AW_MCP_CONFIG_49d80a4c4fcddb3d_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 2c553c6133e..a3f1b7de6df 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -978,7 +978,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -1009,8 +1009,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1027,7 +1026,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 24007833550..413b058e568 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -740,7 +740,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_48a8530c23406e35_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_13fd145982983f00_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -787,8 +787,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -805,7 +804,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_48a8530c23406e35_EOF + GH_AW_MCP_CONFIG_13fd145982983f00_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index ee98296c676..ab72195fe84 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -782,7 +782,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -813,8 +813,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -843,8 +842,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -861,7 +859,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-model-inventory.lock.yml b/.github/workflows/daily-model-inventory.lock.yml index 6037ae295e0..24a53fd4352 100644 --- a/.github/workflows/daily-model-inventory.lock.yml +++ b/.github/workflows/daily-model-inventory.lock.yml @@ -747,7 +747,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -794,8 +794,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -812,7 +811,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-model-resolution.lock.yml b/.github/workflows/daily-model-resolution.lock.yml index 764bbb6afda..d31a10fbf05 100644 --- a/.github/workflows/daily-model-resolution.lock.yml +++ b/.github/workflows/daily-model-resolution.lock.yml @@ -773,7 +773,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9766857743be0a44_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -791,8 +791,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -824,8 +823,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -842,7 +840,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF + GH_AW_MCP_CONFIG_9766857743be0a44_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index f53a88d8240..c52ae96e1b7 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -784,7 +784,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -814,8 +814,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -832,7 +831,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index baf1dd480bd..fa96ffafc85 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -908,7 +908,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_29943a80bb5bb8f6_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_aa2268eb23f2334d_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "headroom": { @@ -928,8 +928,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -960,8 +959,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -981,8 +979,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -999,7 +996,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_29943a80bb5bb8f6_EOF + GH_AW_MCP_CONFIG_aa2268eb23f2334d_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 1e1714389ed..5cfd2e45b3b 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -807,7 +807,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4759c488eff9016_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -824,8 +824,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -856,8 +855,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -874,7 +872,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF + GH_AW_MCP_CONFIG_d4759c488eff9016_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 62974a927c7..feb3f11e5b9 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1259,7 +1259,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_7b1cde96be66d27e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_981a997d5e8928ca_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "mcpscripts": { @@ -1272,8 +1272,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1305,8 +1304,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1323,7 +1321,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_7b1cde96be66d27e_EOF + GH_AW_MCP_CONFIG_981a997d5e8928ca_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index b3888088b76..4624e9040e3 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1195,7 +1195,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_1cf32faa401298db_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_29e926b87b30b96f_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -1224,8 +1224,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1257,8 +1256,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1275,7 +1273,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_1cf32faa401298db_EOF + GH_AW_MCP_CONFIG_29e926b87b30b96f_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-reliability-review.lock.yml b/.github/workflows/daily-reliability-review.lock.yml index 35a3b2bcde6..9a2c174c0b0 100644 --- a/.github/workflows/daily-reliability-review.lock.yml +++ b/.github/workflows/daily-reliability-review.lock.yml @@ -726,7 +726,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -e SENTRY_ACCESS_TOKEN -e SENTRY_HOST -e SENTRY_OPENAI_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cf5e02d9ea337f7b_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_165154816d8bc3d5_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -756,8 +756,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -795,8 +794,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -813,7 +811,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cf5e02d9ea337f7b_EOF + GH_AW_MCP_CONFIG_165154816d8bc3d5_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 55be87b1bf1..1850ad45df1 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -851,7 +851,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4759c488eff9016_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -868,8 +868,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -900,8 +899,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -918,7 +916,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF + GH_AW_MCP_CONFIG_d4759c488eff9016_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 3a1cb0a39b1..c4c37d167d7 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -762,7 +762,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -793,8 +793,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -811,7 +810,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index 54c4a3d8071..211d8d647f0 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -741,7 +741,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -772,8 +772,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -790,7 +789,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 017c97d791d..340dd56de8a 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -738,7 +738,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -768,8 +768,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -786,7 +785,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml index faf3fbc9aa6..a7eb578b2de 100644 --- a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml +++ b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml @@ -797,7 +797,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_223a7dbf035201f0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_37191abe61738699_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -827,8 +827,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -840,7 +839,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_223a7dbf035201f0_EOF + GH_AW_MCP_CONFIG_37191abe61738699_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 9031c7e32a0..697f1903e78 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -696,7 +696,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -727,8 +727,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -745,7 +744,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index 4055d0002f2..686203e2523 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -869,7 +869,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9766857743be0a44_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -887,8 +887,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -920,8 +919,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -938,7 +936,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF + GH_AW_MCP_CONFIG_9766857743be0a44_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 92cbf258aeb..1cb16b034c2 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -811,7 +811,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -841,8 +841,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -859,7 +858,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 5f991ef2696..6f085897dc3 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -748,7 +748,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_18f32a58cc17b637_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_fa94a5951bf7f731_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -795,8 +795,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -824,8 +823,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -842,7 +840,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_18f32a58cc17b637_EOF + GH_AW_MCP_CONFIG_fa94a5951bf7f731_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-spdd-spec-planner.lock.yml b/.github/workflows/daily-spdd-spec-planner.lock.yml index 4cb9b0408c2..d2b7a79a413 100644 --- a/.github/workflows/daily-spdd-spec-planner.lock.yml +++ b/.github/workflows/daily-spdd-spec-planner.lock.yml @@ -738,7 +738,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -769,8 +769,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -787,7 +786,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index e0a9bbfc3f2..70ae1947c9c 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -710,7 +710,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_08f7efee918e7196_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_29c6f04609017e71_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -755,8 +755,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -773,7 +772,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_08f7efee918e7196_EOF + GH_AW_MCP_CONFIG_29c6f04609017e71_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 548140a74a6..55f9a4db97b 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -689,7 +689,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_0d33e8bf8d0801d8_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_0456eff736817081_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -739,8 +739,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -752,7 +751,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_0d33e8bf8d0801d8_EOF + GH_AW_MCP_CONFIG_0456eff736817081_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 6d19152b8cc..a88317ba462 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -748,7 +748,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -779,8 +779,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -809,8 +808,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -827,7 +825,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-windows-terminal-integration-builder.lock.yml b/.github/workflows/daily-windows-terminal-integration-builder.lock.yml index 5fe54634ec9..ba71356c85a 100644 --- a/.github/workflows/daily-windows-terminal-integration-builder.lock.yml +++ b/.github/workflows/daily-windows-terminal-integration-builder.lock.yml @@ -682,7 +682,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_f185f50466326598_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -713,8 +713,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -726,7 +725,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF + GH_AW_MCP_CONFIG_f185f50466326598_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 5a529c3c317..2f36c434d9f 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -707,7 +707,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -738,8 +738,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -756,7 +755,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/daily-yamllint-fixer.lock.yml b/.github/workflows/daily-yamllint-fixer.lock.yml index 26415b91ff3..3a6bf72f845 100644 --- a/.github/workflows/daily-yamllint-fixer.lock.yml +++ b/.github/workflows/daily-yamllint-fixer.lock.yml @@ -735,7 +735,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -765,8 +765,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -783,7 +782,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml index 7ad391ca452..04455111845 100644 --- a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml +++ b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml @@ -1009,7 +1009,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -1040,8 +1040,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1058,7 +1057,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 9eeec0f3a35..c2d8722c9df 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -761,7 +761,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -792,8 +792,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -810,7 +809,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 71444268d6b..4cf8771a6d0 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1114,7 +1114,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -e GH_AW_WORKFLOW_ID_SANITIZED -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_4eb84badd13e78bb_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_af77169a0c1869ba_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agentdb": { @@ -1136,8 +1136,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1155,8 +1154,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1187,8 +1185,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1205,7 +1202,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_4eb84badd13e78bb_EOF + GH_AW_MCP_CONFIG_af77169a0c1869ba_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index b4679cff6f6..04cbf9393d0 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -762,7 +762,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -793,8 +793,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -811,7 +810,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 7efcea8824b..89125fe5515 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -821,7 +821,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -852,8 +852,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -870,7 +869,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 437e0f0b2d2..50622fc1caa 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -768,7 +768,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_027f9c8d8b471840_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_8d71332f94c1b69f_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -815,8 +815,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -833,7 +832,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_027f9c8d8b471840_EOF + GH_AW_MCP_CONFIG_8d71332f94c1b69f_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/dependabot-repair.lock.yml b/.github/workflows/dependabot-repair.lock.yml index e73f35de51f..505bf423dba 100644 --- a/.github/workflows/dependabot-repair.lock.yml +++ b/.github/workflows/dependabot-repair.lock.yml @@ -809,7 +809,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -856,8 +856,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -874,7 +873,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/deployment-incident-monitor.lock.yml b/.github/workflows/deployment-incident-monitor.lock.yml index 16963c32628..dfcf28fee7c 100644 --- a/.github/workflows/deployment-incident-monitor.lock.yml +++ b/.github/workflows/deployment-incident-monitor.lock.yml @@ -719,7 +719,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -750,8 +750,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -768,7 +767,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/design-decision-gate.lock.yml b/.github/workflows/design-decision-gate.lock.yml index 7618750ae55..f37360bb135 100644 --- a/.github/workflows/design-decision-gate.lock.yml +++ b/.github/workflows/design-decision-gate.lock.yml @@ -814,7 +814,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b814f46b13b78bd4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_43ce30ae4ec4886b_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -844,8 +844,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -863,7 +862,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_b814f46b13b78bd4_EOF + GH_AW_MCP_CONFIG_43ce30ae4ec4886b_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/designer-drift-audit.lock.yml b/.github/workflows/designer-drift-audit.lock.yml index 484c4e1f794..4ed97986b5e 100644 --- a/.github/workflows/designer-drift-audit.lock.yml +++ b/.github/workflows/designer-drift-audit.lock.yml @@ -688,7 +688,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_f185f50466326598_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -719,8 +719,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -732,7 +731,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF + GH_AW_MCP_CONFIG_f185f50466326598_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index cd2e9519546..f7d0b8a520a 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -786,7 +786,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9766857743be0a44_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -804,8 +804,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -837,8 +836,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -855,7 +853,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF + GH_AW_MCP_CONFIG_9766857743be0a44_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 1142301a820..424a1b87626 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -790,7 +790,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -820,8 +820,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -838,7 +837,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index b9e161534f5..252cbfdab30 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -803,7 +803,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e0281624817c51e4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -833,8 +833,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -860,8 +859,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -878,7 +876,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e0281624817c51e4_EOF + GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index b53e8fbe5e7..5bb480f0110 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -709,7 +709,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -740,8 +740,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -758,7 +757,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index f43b66b1de1..99300d9fc0b 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -751,7 +751,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -782,8 +782,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -800,7 +799,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index cb950de935a..5d24f8751d9 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -721,7 +721,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -752,8 +752,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -770,7 +769,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/eslint-miner.lock.yml b/.github/workflows/eslint-miner.lock.yml index 68ef27a7e19..e19c7b829e9 100644 --- a/.github/workflows/eslint-miner.lock.yml +++ b/.github/workflows/eslint-miner.lock.yml @@ -722,7 +722,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_f185f50466326598_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -753,8 +753,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -766,7 +765,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF + GH_AW_MCP_CONFIG_f185f50466326598_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/eslint-monster.lock.yml b/.github/workflows/eslint-monster.lock.yml index d69d9169fac..3e66f9cc741 100644 --- a/.github/workflows/eslint-monster.lock.yml +++ b/.github/workflows/eslint-monster.lock.yml @@ -835,7 +835,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -865,8 +865,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -883,7 +882,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/eslint-refiner.lock.yml b/.github/workflows/eslint-refiner.lock.yml index 85d7ed9d2ee..ad3a8650d1f 100644 --- a/.github/workflows/eslint-refiner.lock.yml +++ b/.github/workflows/eslint-refiner.lock.yml @@ -762,7 +762,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -792,8 +792,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -810,7 +809,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 71b392bb077..7b6e5b59784 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -633,7 +633,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_bf71519fd026c959_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_003ef33ec4ff6cdc_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -680,8 +680,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -698,7 +697,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_bf71519fd026c959_EOF + GH_AW_MCP_CONFIG_003ef33ec4ff6cdc_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index e9e3f1b2b97..cd17d2b94ad 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -767,7 +767,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4759c488eff9016_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -784,8 +784,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -816,8 +815,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -834,7 +832,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF + GH_AW_MCP_CONFIG_d4759c488eff9016_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 01e72534089..e1ca25d9c24 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -766,7 +766,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -797,8 +797,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -815,7 +814,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index db194260a40..12addfe153b 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -716,7 +716,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -763,8 +763,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -781,7 +780,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 420659b81b7..e3743e270e6 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -771,7 +771,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_1224cc75c6688253_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_79ff865aceb0fe92_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -816,8 +816,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -834,7 +833,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_1224cc75c6688253_EOF + GH_AW_MCP_CONFIG_79ff865aceb0fe92_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 2e31947a0b1..0ad97d18bae 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -775,7 +775,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8915efaf53b6331c_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ff93020d193293d3_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -820,8 +820,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -838,7 +837,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8915efaf53b6331c_EOF + GH_AW_MCP_CONFIG_ff93020d193293d3_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 2acf86057eb..34a88214a01 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -705,7 +705,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9d3c2d8233299af5_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_8a1b6eec0351da40_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -760,8 +760,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -778,7 +777,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9d3c2d8233299af5_EOF + GH_AW_MCP_CONFIG_8a1b6eec0351da40_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 4e0edc0eceb..b8b6d4cf360 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -799,7 +799,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -830,8 +830,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -860,8 +859,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -878,7 +876,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index be930829b92..995c00ec624 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -748,7 +748,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e0281624817c51e4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -778,8 +778,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -805,8 +804,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -823,7 +821,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e0281624817c51e4_EOF + GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index ae7dc5e49f1..3e3d0046330 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -758,7 +758,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -788,8 +788,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -806,7 +805,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 9b9971a8353..5cc59b053b5 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -783,7 +783,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -830,8 +830,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -848,7 +847,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 91ba8066be6..6de5432ed35 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -828,7 +828,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_a627a93f8257e78f_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_840e4e3782679846_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -876,8 +876,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -894,7 +893,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_a627a93f8257e78f_EOF + GH_AW_MCP_CONFIG_840e4e3782679846_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/hippo-embed.lock.yml b/.github/workflows/hippo-embed.lock.yml index 89fab1413d1..bc33453bae3 100644 --- a/.github/workflows/hippo-embed.lock.yml +++ b/.github/workflows/hippo-embed.lock.yml @@ -762,7 +762,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b90aa044d0873b31_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_49d80a4c4fcddb3d_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "mcpscripts": { @@ -775,8 +775,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -807,8 +806,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -825,7 +823,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_b90aa044d0873b31_EOF + GH_AW_MCP_CONFIG_49d80a4c4fcddb3d_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 5f046a0afe4..a4cfe6e144e 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -761,7 +761,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -791,8 +791,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -809,7 +808,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/impeccable-skills-reviewer.lock.yml b/.github/workflows/impeccable-skills-reviewer.lock.yml index e8331186749..09155ca55be 100644 --- a/.github/workflows/impeccable-skills-reviewer.lock.yml +++ b/.github/workflows/impeccable-skills-reviewer.lock.yml @@ -792,7 +792,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -823,8 +823,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -841,7 +840,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index b0c8e71b016..ecb4fe76e1b 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -738,7 +738,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -768,8 +768,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -786,7 +785,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 83c7fbeed5c..bab8c04443a 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -871,7 +871,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -901,8 +901,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -919,7 +918,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index db96998f4f7..8544dc8518c 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1110,7 +1110,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -1140,8 +1140,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1158,7 +1157,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 9f3dfab264c..9672129f7c1 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -684,7 +684,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_0962e5a48b89bcf9_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_a50575a04ab4ebbc_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -734,8 +734,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -752,7 +751,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_0962e5a48b89bcf9_EOF + GH_AW_MCP_CONFIG_a50575a04ab4ebbc_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 6c79a2a5e23..9984ab03e13 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -753,7 +753,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -784,8 +784,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -802,7 +801,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 5243af54994..80cad8bcd5e 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -723,7 +723,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -754,8 +754,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -772,7 +771,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/lint-monster.lock.yml b/.github/workflows/lint-monster.lock.yml index 2fba01d1999..ad354057758 100644 --- a/.github/workflows/lint-monster.lock.yml +++ b/.github/workflows/lint-monster.lock.yml @@ -830,7 +830,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -860,8 +860,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -878,7 +877,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/linter-miner.lock.yml b/.github/workflows/linter-miner.lock.yml index 3b78a87e0da..cf8f394e28e 100644 --- a/.github/workflows/linter-miner.lock.yml +++ b/.github/workflows/linter-miner.lock.yml @@ -750,7 +750,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -781,8 +781,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -811,8 +810,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -829,7 +827,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/mattpocock-skills-reviewer.lock.yml b/.github/workflows/mattpocock-skills-reviewer.lock.yml index 0ebfceaac98..cb1b55f3dd5 100644 --- a/.github/workflows/mattpocock-skills-reviewer.lock.yml +++ b/.github/workflows/mattpocock-skills-reviewer.lock.yml @@ -939,7 +939,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -970,8 +970,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -988,7 +987,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 67f9aa8a6cb..e5d8e60369d 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -752,7 +752,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -783,8 +783,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -801,7 +800,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index ebe84e27c07..a63329037ee 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -802,7 +802,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9766857743be0a44_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -820,8 +820,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -853,8 +852,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -871,7 +869,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF + GH_AW_MCP_CONFIG_9766857743be0a44_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/necromancer.lock.yml b/.github/workflows/necromancer.lock.yml index 001f8321f74..a8a75640f30 100644 --- a/.github/workflows/necromancer.lock.yml +++ b/.github/workflows/necromancer.lock.yml @@ -811,7 +811,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -841,8 +841,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -859,7 +858,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 79e218a6884..78e6faf6234 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -691,7 +691,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_3588f54ba9215428_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_75ba6b441b1f7504_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -726,8 +726,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -759,8 +758,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -777,7 +775,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_3588f54ba9215428_EOF + GH_AW_MCP_CONFIG_75ba6b441b1f7504_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/objective-impact-report.lock.yml b/.github/workflows/objective-impact-report.lock.yml index 8fa1f3fe049..5e85255f593 100644 --- a/.github/workflows/objective-impact-report.lock.yml +++ b/.github/workflows/objective-impact-report.lock.yml @@ -720,7 +720,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_f185f50466326598_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -751,8 +751,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -764,7 +763,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF + GH_AW_MCP_CONFIG_f185f50466326598_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 4fc6643cb4f..57c3868d85c 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -766,7 +766,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -797,8 +797,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -815,7 +814,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/outcome-collector.lock.yml b/.github/workflows/outcome-collector.lock.yml index b1e1478d7d2..ef00067ed48 100644 --- a/.github/workflows/outcome-collector.lock.yml +++ b/.github/workflows/outcome-collector.lock.yml @@ -743,7 +743,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -774,8 +774,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -792,7 +791,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index e97db8ba1ab..a979697b667 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -834,7 +834,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -865,8 +865,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -883,7 +882,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 7412aede7c4..2c6dba398ec 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1077,7 +1077,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -1107,8 +1107,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1125,7 +1124,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/pr-code-quality-reviewer.lock.yml b/.github/workflows/pr-code-quality-reviewer.lock.yml index c5ca71f6bb7..f0bfd74df45 100644 --- a/.github/workflows/pr-code-quality-reviewer.lock.yml +++ b/.github/workflows/pr-code-quality-reviewer.lock.yml @@ -798,7 +798,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -829,8 +829,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -847,7 +846,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/pr-description-caveman.lock.yml b/.github/workflows/pr-description-caveman.lock.yml index 7183e463555..7470b01b84d 100644 --- a/.github/workflows/pr-description-caveman.lock.yml +++ b/.github/workflows/pr-description-caveman.lock.yml @@ -716,7 +716,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_f185f50466326598_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -747,8 +747,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -760,7 +759,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_b3212dc96fddb6a7_EOF + GH_AW_MCP_CONFIG_f185f50466326598_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 46b423d2f45..3baf8720503 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -826,7 +826,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_0994135830cba3d1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_c315c1ca24a35bd4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -876,8 +876,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -894,7 +893,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_0994135830cba3d1_EOF + GH_AW_MCP_CONFIG_c315c1ca24a35bd4_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 5537b65ee4d..ea459e19491 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -1094,7 +1094,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -1124,8 +1124,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1142,7 +1141,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 987e92889c8..38ecdcef571 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -841,7 +841,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -872,8 +872,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -890,7 +889,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 721b8c4acae..c7d5d353c43 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -867,7 +867,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4759c488eff9016_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -884,8 +884,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -916,8 +915,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -934,7 +932,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF + GH_AW_MCP_CONFIG_d4759c488eff9016_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index ca9c6e4caee..32176330269 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -914,7 +914,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9766857743be0a44_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -932,8 +932,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -965,8 +964,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -983,7 +981,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e4b095881b0ba368_EOF + GH_AW_MCP_CONFIG_9766857743be0a44_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/refactoring-cadence.lock.yml b/.github/workflows/refactoring-cadence.lock.yml index a3442213964..658b942184e 100644 --- a/.github/workflows/refactoring-cadence.lock.yml +++ b/.github/workflows/refactoring-cadence.lock.yml @@ -736,7 +736,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -767,8 +767,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -785,7 +784,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 9cc7fa7cc8a..c87a498a413 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -838,7 +838,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -869,8 +869,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -887,7 +886,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index f24c1198799..c5aab569457 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -729,7 +729,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -776,8 +776,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -794,7 +793,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 24b2b8508f3..41774883533 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -735,7 +735,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -766,8 +766,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -784,7 +783,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/ruflo-backed-task.lock.yml b/.github/workflows/ruflo-backed-task.lock.yml index a3da0b45606..43bc2f389ae 100644 --- a/.github/workflows/ruflo-backed-task.lock.yml +++ b/.github/workflows/ruflo-backed-task.lock.yml @@ -825,7 +825,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e92f0305bc9ce142_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_71298450f3010d06_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "ruflo": { @@ -854,8 +854,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -886,8 +885,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -899,7 +897,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_e92f0305bc9ce142_EOF + GH_AW_MCP_CONFIG_71298450f3010d06_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 24a09824c68..3356e81c677 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -737,7 +737,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -767,8 +767,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -785,7 +784,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index ef413a65944..dfdc9f0d190 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -765,7 +765,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e19e71501692380f_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_baa3186b48a8a5c6_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -810,8 +810,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -828,7 +827,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e19e71501692380f_EOF + GH_AW_MCP_CONFIG_baa3186b48a8a5c6_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index c3f86442a82..e9f99214ca4 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -830,7 +830,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_4a335bccb89c9a80_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_7c31ecaadd134a2c_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "arxiv": { @@ -845,8 +845,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -862,8 +861,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -877,8 +875,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -892,8 +889,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -924,8 +920,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -945,8 +940,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -963,7 +957,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_4a335bccb89c9a80_EOF + GH_AW_MCP_CONFIG_7c31ecaadd134a2c_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index f9834a8f5ef..bd37841cdcd 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -744,7 +744,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -775,8 +775,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -793,7 +792,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 1e6dab48a58..b85ab48b29a 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -857,7 +857,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f0b4549765c5e3a0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_05fb014291a490ca_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -875,8 +875,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -927,8 +926,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -945,7 +943,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f0b4549765c5e3a0_EOF + GH_AW_MCP_CONFIG_05fb014291a490ca_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 8016707480e..c0b2061dd88 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -736,7 +736,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e0281624817c51e4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -766,8 +766,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -793,8 +792,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -811,7 +809,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e0281624817c51e4_EOF + GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 1751fed039c..cbd352ebc2f 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -772,7 +772,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e0281624817c51e4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -802,8 +802,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -829,8 +828,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -847,7 +845,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e0281624817c51e4_EOF + GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/skillet.lock.yml b/.github/workflows/skillet.lock.yml index 442eadd6d59..44211402fca 100644 --- a/.github/workflows/skillet.lock.yml +++ b/.github/workflows/skillet.lock.yml @@ -807,7 +807,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -838,8 +838,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -856,7 +855,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 1f0b85d44dc..3425f4f00d9 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -746,7 +746,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_ba0b67fc220f2983_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_bc6a457a860a9662_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -794,8 +794,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -812,7 +811,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_ba0b67fc220f2983_EOF + GH_AW_MCP_CONFIG_bc6a457a860a9662_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index c3bdb9e11b8..8d1147ab29d 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -746,7 +746,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_df4f2aaa827bdf05_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_2b7e096ace93f2f0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -794,8 +794,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -812,7 +811,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_df4f2aaa827bdf05_EOF + GH_AW_MCP_CONFIG_2b7e096ace93f2f0_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 8831d8a40a4..b1ab7113396 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -777,7 +777,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_037d1fc696d0fd92_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_3c69a791cee2c555_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -825,8 +825,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -843,7 +842,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_037d1fc696d0fd92_EOF + GH_AW_MCP_CONFIG_3c69a791cee2c555_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 9b0fb8a04f7..e3883028472 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -746,7 +746,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8617cc68beca5a49_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_56f1a0b983924e6c_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -794,8 +794,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -812,7 +811,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8617cc68beca5a49_EOF + GH_AW_MCP_CONFIG_56f1a0b983924e6c_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index d3a69f6b622..155583b5d35 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -749,7 +749,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_fd3a329de60dbd2a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_59b18e73fe38040d_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -801,8 +801,7 @@ jobs: "accept": [ "private:github/gh-aw", "private:github" - ], - "sink-visibility": "public" + ] } } } @@ -819,7 +818,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_fd3a329de60dbd2a_EOF + GH_AW_MCP_CONFIG_59b18e73fe38040d_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-antigravity.lock.yml b/.github/workflows/smoke-antigravity.lock.yml index b4bdfc84a68..116ae345fa4 100644 --- a/.github/workflows/smoke-antigravity.lock.yml +++ b/.github/workflows/smoke-antigravity.lock.yml @@ -868,7 +868,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -898,8 +898,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -916,7 +915,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-ci.lock.yml b/.github/workflows/smoke-ci.lock.yml index 0424f502c27..3c7585b070c 100644 --- a/.github/workflows/smoke-ci.lock.yml +++ b/.github/workflows/smoke-ci.lock.yml @@ -968,7 +968,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -1015,8 +1015,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1033,7 +1032,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-claude-on-copilot.lock.yml b/.github/workflows/smoke-claude-on-copilot.lock.yml index 22afed6347c..2f806ff2ed0 100644 --- a/.github/workflows/smoke-claude-on-copilot.lock.yml +++ b/.github/workflows/smoke-claude-on-copilot.lock.yml @@ -724,7 +724,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_223a7dbf035201f0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_37191abe61738699_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -754,8 +754,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -767,7 +766,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_223a7dbf035201f0_EOF + GH_AW_MCP_CONFIG_37191abe61738699_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 26e60cb510c..d61b05a0613 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1466,7 +1466,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_36a309c713f80b13_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_699753ca7dc166c3_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -1483,8 +1483,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1498,8 +1497,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1530,8 +1528,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1551,8 +1548,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1569,7 +1565,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_36a309c713f80b13_EOF + GH_AW_MCP_CONFIG_699753ca7dc166c3_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index eaaee0a3a07..696e51272cb 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"aa0ed119e72a5a80fca3653db96ef93a846a9fc08a00e2bdaf4d7a9a968e5639","body_hash":"fae212c4ff39a682e3254fae440084a2152282e383467ff3f0c15fb9d2d69411","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"28bcd7d1a07d419f8a3df23bc8a50f9f511c24776e23f36aa4f2caabf73986fd","body_hash":"fae212c4ff39a682e3254fae440084a2152282e383467ff3f0c15fb9d2d69411","strict":true,"agent_id":"codex","engine_versions":{"codex":"0.142.5"}} # gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions-ecosystem/action-add-labels","sha":"c96b68fec76a0987cd93957189e9abd0b9a72ff1","version":"v1.1.3"},{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"924ae3a1cded613372ab5595356fb5720e22ba16","version":"v6.5.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.26","digest":"sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.26@sha256:b283b1f037d2e068532fe178a06f2944696c3933ba11604979134e7896ac6f8c"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.26","digest":"sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.26@sha256:1743dbac9bf4225f3acfdcbce4f77f5a3e61e22b2e929305525f00196693c015"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.26","digest":"sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.26@sha256:6006b1c579ca550e023697b5dfd832ae03361328a4c0f2eb49fb181a6b8d7a4b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.26","digest":"sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.26@sha256:d4647c3bfaf80889eb1dbd3d4e2063340cbf94c0ca6c5747bbfc8507b12f3485"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"},{"image":"ghcr.io/github/serena-mcp-server:latest","digest":"sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5","pinned_image":"ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -1112,7 +1112,7 @@ jobs: # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f7d46e212eccd45c_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_358ee85d9d3eedd2_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -1142,8 +1142,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1169,8 +1168,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1187,7 +1185,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f7d46e212eccd45c_EOF + GH_AW_MCP_CONFIG_358ee85d9d3eedd2_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config @@ -2422,10 +2420,20 @@ jobs: - name: Install TruffleHog id: install-trufflehog run: | - echo "Installing TruffleHog v${TRUFFLEHOG_VERSION}..." - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "v${TRUFFLEHOG_VERSION}" + ARCH=$(uname -m) + if [ "$ARCH" != "x86_64" ]; then + echo "::error::TruffleHog installation only supports x86_64 (linux_amd64); detected $ARCH. Self-hosted ARM runners must install TruffleHog separately." + exit 1 + fi + echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." + mkdir -p /tmp/gh-aw + curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz + # SHA256 covers the .tar.gz archive; the binary is extracted from the verified archive + echo "${TRUFFLEHOG_SHA256} /tmp/gh-aw/trufflehog.tar.gz" | sha256sum -c - + sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz --no-same-owner -C /usr/local/bin trufflehog trufflehog --version env: + TRUFFLEHOG_SHA256: e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7 TRUFFLEHOG_VERSION: 3.88.27 - name: Scan agent output for secrets id: scan-agent-output diff --git a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml index cca29bd4133..b237c4d0580 100644 --- a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml @@ -1723,7 +1723,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_91e5896d7e6f45d0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f27317c9bd52060_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -1741,8 +1741,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1756,8 +1755,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1789,8 +1787,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1819,8 +1816,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1837,7 +1833,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_91e5896d7e6f45d0_EOF + GH_AW_MCP_CONFIG_1f27317c9bd52060_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-copilot-aoai-entra.lock.yml b/.github/workflows/smoke-copilot-aoai-entra.lock.yml index 4fca6719230..d4c7d8647ef 100644 --- a/.github/workflows/smoke-copilot-aoai-entra.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-entra.lock.yml @@ -1724,7 +1724,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_91e5896d7e6f45d0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f27317c9bd52060_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -1742,8 +1742,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1757,8 +1756,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1790,8 +1788,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1820,8 +1817,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1838,7 +1834,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_91e5896d7e6f45d0_EOF + GH_AW_MCP_CONFIG_1f27317c9bd52060_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 60719d0985b..6329fda4058 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1571,7 +1571,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_2eda9c0ae2c6b104_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_cc8392b7570bdbf2_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -1589,8 +1589,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1620,8 +1619,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1653,8 +1651,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1683,8 +1680,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1701,7 +1697,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_2eda9c0ae2c6b104_EOF + GH_AW_MCP_CONFIG_cc8392b7570bdbf2_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 6bc154376e0..e6a4957c3a4 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1740,7 +1740,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_91e5896d7e6f45d0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f27317c9bd52060_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -1758,8 +1758,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1773,8 +1772,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1806,8 +1804,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -1836,8 +1833,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1854,7 +1850,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_91e5896d7e6f45d0_EOF + GH_AW_MCP_CONFIG_1f27317c9bd52060_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 447b8fdf1c5..78daedd929f 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -868,7 +868,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -915,8 +915,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -933,7 +932,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-crush.lock.yml b/.github/workflows/smoke-crush.lock.yml index 52c2a4d7853..3b6b10607c3 100644 --- a/.github/workflows/smoke-crush.lock.yml +++ b/.github/workflows/smoke-crush.lock.yml @@ -811,7 +811,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_5b82788d64c085c6_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ba0720b989526e81_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -856,8 +856,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -874,7 +873,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_5b82788d64c085c6_EOF + GH_AW_MCP_CONFIG_ba0720b989526e81_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 127a08dad27..ea723bd0650 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -873,7 +873,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -903,8 +903,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -921,7 +920,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 8a21c249ad5..e33ac4f6c9a 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -815,7 +815,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_5b82788d64c085c6_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ba0720b989526e81_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -860,8 +860,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -878,7 +877,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_5b82788d64c085c6_EOF + GH_AW_MCP_CONFIG_ba0720b989526e81_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml index 67ce391d971..6e3a461b3f5 100644 --- a/.github/workflows/smoke-otel-backends.lock.yml +++ b/.github/workflows/smoke-otel-backends.lock.yml @@ -814,7 +814,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_58218cfe7d58fa3c_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d525c784a052d222_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "datadog": { @@ -843,8 +843,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -873,8 +872,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -906,8 +904,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -945,8 +942,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -963,7 +959,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_58218cfe7d58fa3c_EOF + GH_AW_MCP_CONFIG_d525c784a052d222_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-pi.lock.yml b/.github/workflows/smoke-pi.lock.yml index c574b292cf8..665024677b1 100644 --- a/.github/workflows/smoke-pi.lock.yml +++ b/.github/workflows/smoke-pi.lock.yml @@ -842,7 +842,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -872,8 +872,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -890,7 +889,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 8911534c031..6cf5d486b13 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -997,7 +997,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -1044,8 +1044,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -1062,7 +1061,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 6285a6d106c..eea7e418ed8 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -880,7 +880,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -927,8 +927,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -945,7 +944,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_f6ba19f758ea367a_EOF + GH_AW_MCP_CONFIG_1f24d04dbd7f74fd_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/spec-enforcer.lock.yml b/.github/workflows/spec-enforcer.lock.yml index 930b47464a3..4bc6a6c67cc 100644 --- a/.github/workflows/spec-enforcer.lock.yml +++ b/.github/workflows/spec-enforcer.lock.yml @@ -750,7 +750,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -780,8 +780,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -798,7 +797,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/spec-extractor.lock.yml b/.github/workflows/spec-extractor.lock.yml index 6b2a088ee15..fa45652391f 100644 --- a/.github/workflows/spec-extractor.lock.yml +++ b/.github/workflows/spec-extractor.lock.yml @@ -747,7 +747,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -778,8 +778,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -808,8 +807,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -826,7 +824,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/spec-librarian.lock.yml b/.github/workflows/spec-librarian.lock.yml index 74a3a9138b3..463b99c161f 100644 --- a/.github/workflows/spec-librarian.lock.yml +++ b/.github/workflows/spec-librarian.lock.yml @@ -722,7 +722,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -753,8 +753,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -783,8 +782,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -801,7 +799,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/stale-pr-cleanup.lock.yml b/.github/workflows/stale-pr-cleanup.lock.yml index 07241032dbe..b314fd7c592 100644 --- a/.github/workflows/stale-pr-cleanup.lock.yml +++ b/.github/workflows/stale-pr-cleanup.lock.yml @@ -720,7 +720,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -751,8 +751,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -769,7 +768,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 07f8fed63a9..89db1ea1ca9 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -906,7 +906,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -937,8 +937,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -955,7 +954,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 31cabf3ca19..f545a27f2be 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -849,7 +849,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4759c488eff9016_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -866,8 +866,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -898,8 +897,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -916,7 +914,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8c19a7767fe8693a_EOF + GH_AW_MCP_CONFIG_d4759c488eff9016_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 3aada06fb76..f1d435081ef 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -732,7 +732,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -762,8 +762,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -780,7 +779,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index e83cfec0622..17f87a71a88 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -740,7 +740,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -771,8 +771,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -789,7 +788,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 235d9c59e14..2f2af4f8165 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -817,7 +817,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -848,8 +848,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -866,7 +865,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 2af1be24969..deb6ca6ad20 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -704,7 +704,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8cb04054e3377316_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -735,8 +735,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -765,8 +764,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -783,7 +781,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_8cb04054e3377316_EOF + GH_AW_MCP_CONFIG_adde5ffedd660dfe_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index a4c711e678a..678df1a49f1 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -811,7 +811,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -842,8 +842,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -860,7 +859,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 942e6af20ca..2d269708ede 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -748,7 +748,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_e0281624817c51e4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -778,8 +778,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -805,8 +804,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -823,7 +821,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_e0281624817c51e4_EOF + GH_AW_MCP_CONFIG_89c9e0ba47d42fa2_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index d07e8da989f..276701a183f 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -725,7 +725,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -756,8 +756,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -774,7 +773,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/uk-ai-operational-resilience.lock.yml b/.github/workflows/uk-ai-operational-resilience.lock.yml index 73c0fa06faf..9e38443f7ab 100644 --- a/.github/workflows/uk-ai-operational-resilience.lock.yml +++ b/.github/workflows/uk-ai-operational-resilience.lock.yml @@ -751,7 +751,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -782,8 +782,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -800,7 +799,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index f721c0400b1..bd504ae526f 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -840,7 +840,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -870,8 +870,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -888,7 +887,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cb3bf0ec223ed8a1_EOF + GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 5c06f28e11c..4ecd4130f58 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -889,7 +889,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_06bff4ae99b92834_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_16573538fa7590e4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -907,8 +907,7 @@ jobs: "write-sink": { "accept": [ "private:github/gh-aw" - ], - "sink-visibility": "public" + ] } } }, @@ -940,8 +939,7 @@ jobs: "write-sink": { "accept": [ "private:github/gh-aw" - ], - "sink-visibility": "public" + ] } } } @@ -958,7 +956,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_06bff4ae99b92834_EOF + GH_AW_MCP_CONFIG_16573538fa7590e4_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index ae4ad1aa4ff..280e50eeace 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -742,7 +742,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -773,8 +773,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -791,7 +790,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 04d4f21ba62..1d15dfca27d 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -709,7 +709,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -740,8 +740,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -758,7 +757,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 625bc8de76b..caf9b645389 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -779,7 +779,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -810,8 +810,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -828,7 +827,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 1bdf614f3a0..3a527f52426 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -813,7 +813,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_799773005d931d89_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "safeoutputs": { @@ -844,8 +844,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -862,7 +861,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_9daff4f6c842738e_EOF + GH_AW_MCP_CONFIG_799773005d931d89_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 56a4e528102..2fa143ba2a5 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -773,7 +773,7 @@ jobs: mkdir -p "$HOME/.copilot" GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_cc25b79ce026637c_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9f4a19e9067bc81e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -791,8 +791,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } }, @@ -840,8 +839,7 @@ jobs: "write-sink": { "accept": [ "*" - ], - "sink-visibility": "public" + ] } } } @@ -858,7 +856,7 @@ jobs: } } } - GH_AW_MCP_CONFIG_cc25b79ce026637c_EOF + GH_AW_MCP_CONFIG_9f4a19e9067bc81e_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true