diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml
index cc5022ea3..bc16699fe 100644
--- a/.github/workflows/agentics-maintenance.yml
+++ b/.github/workflows/agentics-maintenance.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -21,10 +21,10 @@
#
# Alternative regeneration methods:
# make recompile
-#
+#
# Or use the gh-aw CLI directly:
# ./gh-aw compile --validate --verbose
-#
+#
# The workflow is generated when any workflow uses the 'expires' field
# in create-discussions or create-issues safe-outputs configuration.
# Schedule frequency is automatically determined by the shortest expiration time.
@@ -33,7 +33,7 @@ name: Agentic Maintenance
on:
schedule:
- - cron: "37 0 * * *" # Daily (based on minimum expires: 7 days)
+ - cron: "37 0 * * *" # Daily (based on minimum expires: 7 days)
workflow_dispatch:
permissions: {}
diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml
index c3044c912..936946373 100644
--- a/.github/workflows/audit-workflows.lock.yml
+++ b/.github/workflows/audit-workflows.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -28,8 +28,8 @@
name: "Agentic Workflow Auditor"
"on":
schedule:
- - cron: "3 16 * * 1"
- # Friendly format: weekly (scattered)
+ - cron: "3 16 * * 1"
+ # Friendly format: weekly (scattered)
workflow_dispatch:
permissions: {}
@@ -148,27 +148,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -455,18 +434,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -482,9 +461,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -492,23 +471,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -544,7 +523,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -574,13 +553,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -618,9 +597,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -651,120 +630,120 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Agentic Workflow Auditor
-
+
## Job Description
-
+
Your name is __GH_AW_GITHUB_WORKFLOW__. Your job is to act as an agentic workflow auditor for the team working in the GitHub repository `__GH_AW_GITHUB_REPOSITORY__`.
-
+
## Your Mission
-
+
Perform a comprehensive audit of all agentic workflows in the `.github/workflows/` directory to ensure they follow best practices, maintain security standards, and are optimized for performance and reliability.
-
+
## Audit Checklist
-
+
### Phase 1: Discovery and Inventory
-
+
1. **Locate All Agentic Workflows**: Find all `.md` workflow files in `.github/workflows/`
2. **Check Compilation Status**: For each workflow, verify:
- Does it have a corresponding `.lock.yml` file?
- Is the `.lock.yml` file up-to-date? (check if `.md` was modified after `.lock.yml`)
- Does the workflow compile successfully? Run `gh aw compile --strict` to verify
3. **Identify Active vs Dormant**: Determine which workflows are actively used vs deprecated
-
+
### Phase 2: Security Audit
-
+
For each workflow, review and flag:
-
+
1. **Permissions**:
- Are permissions minimal (start with `read-all`)?
- Are write permissions justified and documented?
- Are dangerous permissions avoided (e.g., `contents: write`, `actions: write`)?
-
+
2. **Network Access**:
- Is network access restricted to necessary ecosystems/domains only?
- Are there any overly permissive network allowances?
- Is `defaults` included unnecessarily?
-
+
3. **Safe Outputs**:
- Are GitHub write operations using `safe-outputs` instead of direct write permissions?
- Are safe output limits (`max:`) appropriately configured?
- Are `close-older-issues` or `close-older-discussions` used for daily reporting workflows?
-
+
4. **Input Sanitization**:
- Are user inputs properly sanitized (using `__GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT__` instead of raw event text)?
- Are there any potential injection vulnerabilities?
-
+
5. **Tools and Permissions**:
- Are GitHub tools using `allowed:` lists for fine-grained control instead of full write mode?
- Are bash commands properly constrained with allowlists?
- Are dangerous bash patterns avoided (e.g., `rm -rf`, `curl | sh`)?
-
+
### Phase 3: Best Practices Review
-
+
1. **Trigger Configuration**:
- Do scheduled workflows use fuzzy scheduling (`schedule: daily` or `schedule: weekly`)?
- Do workflows include `workflow_dispatch:` for manual runs?
- Are `stop-after` dates appropriate for the workflow type?
-
+
2. **Timeout Settings**:
- Is `timeout-minutes` set appropriately?
- Are long-running workflows properly chunked or optimized?
-
+
3. **Tool Configuration**:
- Are tools properly declared in the `tools:` section?
- Are MCP servers configured correctly in `mcp-servers:` if needed?
- Is `cache-memory: true` used for workflows that benefit from caching?
-
+
4. **Documentation**:
- Does the workflow have a clear `description:`?
- Are instructions in the prompt body clear and actionable?
- Are custom instructions properly documented?
-
+
5. **Source Attribution**:
- Is `source:` field present for workflows imported from external repositories?
- Is the source reference up-to-date?
-
+
### Phase 4: Performance and Optimization
-
+
1. **Resource Efficiency**:
- Could the workflow benefit from `cache-memory:` to reduce redundant API calls?
- Are there opportunities to reduce network requests?
- Could bash commands be optimized or batched?
-
+
2. **Redundancy Check**:
- Are there multiple workflows doing similar tasks that could be consolidated?
- Are there overlapping triggers that might cause duplicate work?
-
+
3. **Rate Limiting**:
- Are API-heavy workflows properly throttled?
- Do workflows respect GitHub API rate limits?
-
+
### Phase 5: Compliance and Standards
-
+
1. **Agentic Workflow Standards**:
- Does the workflow follow the schema defined in `.github/aw/github-agentic-workflows.md`?
- Are all required fields present in the frontmatter?
- Are field values valid and properly formatted?
-
+
2. **Engine Configuration**:
- Is the default engine (copilot) used, or is a custom engine properly justified?
- Are engine-specific features used correctly?
-
+
3. **Custom Safe Outputs**:
- Are custom safe output jobs properly configured under `safe-outputs.jobs:`?
- Do they have proper security measures (secret handling, input validation)?
-
+
## Investigation and Reporting
-
+
### For Each Finding
-
+
1. **Categorize**: Security Issue, Best Practice Violation, Performance Opportunity, Compliance Issue
2. **Assess Severity**: Critical, High, Medium, Low, Info
3. **Document**:
@@ -772,9 +751,9 @@ jobs:
- Specific line numbers or configuration sections
- Current behavior vs recommended behavior
- Example fix or reference to documentation
-
+
### Generate Audit Report
-
+
1. **Search for Previous Audit Discussions**: Look for open discussions from previous `__GH_AW_GITHUB_WORKFLOW__` runs
2. **Compare Results**: If the state is essentially the same, add a brief comment and exit
3. **Close Old Discussions**: Close previous open audit discussions to avoid clutter
@@ -785,17 +764,17 @@ jobs:
- **Recommendations**: Specific actionable improvements prioritized by impact
- **Trends**: Comparison with previous audits (improving/degrading)
- **Quick Wins**: Easy fixes that should be done immediately
-
+
### Create Issues for Critical/High Severity Findings
-
+
For critical or high-severity security issues or compliance violations:
-
+
- Create a separate issue with detailed remediation steps
- Link the issue in the audit discussion
- Apply appropriate labels (`security`, `agentic-workflow`, `bug`)
-
+
## Guidelines
-
+
- **Be Thorough**: Check every workflow in detail
- **Be Constructive**: Focus on improvements, not criticism
- **Be Specific**: Provide exact file paths, line numbers, and example fixes
@@ -803,26 +782,26 @@ jobs:
- **Provide Context**: Explain why a finding matters and the potential impact
- **Reference Documentation**: Link to `.github/aw/github-agentic-workflows.md` or other relevant docs
- **Track Progress**: Compare with previous audits to show improvement trends
-
+
## Tools Available
-
+
- **GitHub Tools**: Read repository files, search issues/discussions
- **Bash Commands**: Run `gh aw compile`, `find` commands, `git` to check modification times
- Use `gh aw compile --strict` to validate workflows against security standards
-
+
## Exit Conditions
-
+
- If no workflows exist yet, exit gracefully with a note in the discussion
- If no changes detected since last audit and no new findings, add brief comment and exit
- If repository structure doesn't match expected agentic workflow setup, note and exit
-
+
## Important Notes
-
+
- Do NOT modify workflows directly - only report findings
- Do NOT run workflows or execute untrusted code
- Focus on static analysis and configuration review
- Respect rate limits and be efficient with API calls
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -841,7 +820,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -929,7 +908,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -957,8 +936,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -1042,19 +1020,6 @@ jobs:
/tmp/gh-aw/sandbox/firewall/logs/
/tmp/gh-aw/agent-stdio.log
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -1185,7 +1150,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1384,7 +1349,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"max":3},"create_discussion":{"category":"agentic-workflows","close_older_discussions":true,"expires":168,"max":1,"title_prefix":"${{ github.workflow }}"},"create_issue":{"max":5,"title_prefix":"${{ github.workflow }}"},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":3},\"create_discussion\":{\"category\":\"agentic-workflows\",\"close_older_discussions\":true,\"expires\":168,\"max\":1,\"title_prefix\":\"${{ github.workflow }}\"},\"create_issue\":{\"max\":5,\"title_prefix\":\"${{ github.workflow }}\"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1403,5 +1368,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/audit-workflows.md b/.github/workflows/audit-workflows.md
index 88b922e03..a65900861 100644
--- a/.github/workflows/audit-workflows.md
+++ b/.github/workflows/audit-workflows.md
@@ -32,9 +32,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [default]
bash:
- "gh aw compile:*"
diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
index 048e8524e..dd983b6c3 100644
--- a/.github/workflows/ci-doctor.lock.yml
+++ b/.github/workflows/ci-doctor.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -31,15 +31,15 @@ name: "CI Failure Doctor"
workflow_run:
# zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation
branches:
- - main
- - "**"
+ - main
+ - "**"
types:
- - completed
+ - completed
workflows:
- - "CI - KSail"
- - "CD - Go"
- - "Test - Pages"
- - "Publish - Pages"
+ - "CI - KSail"
+ - "CD - Go"
+ - "Test - Pages"
+ - "Publish - Pages"
permissions: {}
@@ -164,27 +164,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -419,18 +398,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -446,9 +425,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -456,23 +435,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -508,7 +487,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -538,13 +517,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -587,9 +566,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -620,37 +599,37 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# CI Failure Doctor
-
+
You are the CI Failure Doctor, an expert investigative agent that analyzes failed GitHub Actions workflows to identify root causes and patterns. Your mission is to conduct a deep investigation when the CI workflow fails.
-
+
## Current Context
-
+
- **Repository**: __GH_AW_GITHUB_REPOSITORY__
- **Workflow Run**: __GH_AW_GITHUB_EVENT_WORKFLOW_RUN_ID__
- **Conclusion**: __GH_AW_GITHUB_EVENT_WORKFLOW_RUN_CONCLUSION__
- **Run URL**: __GH_AW_GITHUB_EVENT_WORKFLOW_RUN_HTML_URL__
- **Head SHA**: __GH_AW_GITHUB_EVENT_WORKFLOW_RUN_HEAD_SHA__
-
+
## Investigation Protocol
-
+
**ONLY proceed if the workflow conclusion is 'failure' or 'cancelled'**. Exit immediately if the workflow was successful.
-
+
### Phase 1: Initial Triage
-
+
1. **Verify Failure**: Check that `__GH_AW_GITHUB_EVENT_WORKFLOW_RUN_CONCLUSION__` is `failure` or `cancelled`
2. **Get Workflow Details**: Use `get_workflow_run` to get full details of the failed run
3. **List Jobs**: Use `list_workflow_jobs` to identify which specific jobs failed
4. **Quick Assessment**: Determine if this is a new type of failure or a recurring pattern
-
+
### Phase 2: Deep Log Analysis
-
+
1. **Retrieve Logs**: Use `get_job_logs` with `failed_only=true` to get logs from all failed jobs
2. **Pattern Recognition**: Analyze logs for:
- Error messages and stack traces
@@ -665,9 +644,9 @@ jobs:
- Test names that failed
- Dependency versions involved
- Timing patterns
-
+
### Phase 3: Historical Context Analysis
-
+
1. **Search Investigation History**: Use file-based storage to search for similar failures:
- Read from cached investigation files in `/tmp/memory/investigations/`
- Parse previous failure patterns and solutions
@@ -675,9 +654,9 @@ jobs:
2. **Issue History**: Search existing issues for related problems
3. **Commit Analysis**: Examine the commit that triggered the failure
4. **PR Context**: If triggered by a PR, analyze the changed files
-
+
### Phase 4: Root Cause Investigation
-
+
1. **Categorize Failure Type**:
- **Code Issues**: Syntax errors, logic bugs, test failures
- **Infrastructure**: Runner issues, network problems, resource constraints
@@ -685,24 +664,24 @@ jobs:
- **Configuration**: Workflow configuration, environment variables
- **Flaky Tests**: Intermittent failures, timing issues
- **External Services**: Third-party API failures, downstream dependencies
-
+
2. **Deep Dive Analysis**:
- For test failures: Identify specific test methods and assertions
- For build failures: Analyze compilation errors and missing dependencies
- For infrastructure issues: Check runner logs and resource usage
- For timeout issues: Identify slow operations and bottlenecks
-
+
### Phase 5: Pattern Storage and Knowledge Building
-
+
1. **Store Investigation**: Save structured investigation data to files:
- Write investigation report to `/tmp/memory/investigations/-.json`
- Store error patterns in `/tmp/memory/patterns/`
- Maintain an index file of all investigations for fast searching
2. **Update Pattern Database**: Enhance knowledge with new findings by updating pattern files
3. **Save Artifacts**: Store detailed logs and analysis in the cached directories
-
+
### Phase 6: Looking for existing issues
-
+
1. **Convert the report to a search query**
- Use any advanced search features in GitHub Issues to find related issues
- Look for keywords, error messages, and patterns in existing issues
@@ -711,9 +690,9 @@ jobs:
3. **Add issue comment to duplicate issue and finish**
- If you find a duplicate issue, add a comment with your findings and close the investigation.
- Do NOT open a new issue since you found a duplicate already (skip next phases).
-
+
### Phase 6: Reporting and Recommendations
-
+
1. **Create Investigation Report**: Generate a comprehensive analysis including:
- **Executive Summary**: Quick overview of the failure
- **Root Cause**: Detailed explanation of what went wrong
@@ -722,63 +701,63 @@ jobs:
- **Prevention Strategies**: How to avoid similar failures
- **AI Team Self-Improvement**: Give a short set of additional prompting instructions to copy-and-paste into instructions.md for AI coding agents to help prevent this type of failure in future
- **Historical Context**: Similar past failures and their resolutions
-
+
2. **Actionable Deliverables**:
- Create an issue with investigation results (if warranted)
- Comment on related PR with analysis (if PR-triggered)
- Provide specific file locations and line numbers for fixes
- Suggest code changes or configuration updates
-
+
## Output Requirements
-
+
### Investigation Issue Template
-
+
When creating an investigation issue, use this structure:
-
+
```markdown
# 🏥 CI Failure Investigation - Run #__GH_AW_GITHUB_EVENT_WORKFLOW_RUN_RUN_NUMBER__
-
+
## Summary
-
+
[Brief description of the failure]
-
+
## Failure Details
-
+
- **Run**: [__GH_AW_GITHUB_EVENT_WORKFLOW_RUN_ID__](__GH_AW_GITHUB_EVENT_WORKFLOW_RUN_HTML_URL__)
- **Commit**: __GH_AW_GITHUB_EVENT_WORKFLOW_RUN_HEAD_SHA__
- **Trigger**: __GH_AW_GITHUB_EVENT_WORKFLOW_RUN_EVENT__
-
+
## Root Cause Analysis
-
+
[Detailed analysis of what went wrong]
-
+
## Failed Jobs and Errors
-
+
[List of failed jobs with key error messages]
-
+
## Investigation Findings
-
+
[Deep analysis results]
-
+
## Recommended Actions
-
+
- [ ] [Specific actionable steps]
-
+
## Prevention Strategies
-
+
[How to prevent similar failures]
-
+
## AI Team Self-Improvement
-
+
[Short set of additional prompting instructions to copy-and-paste into instructions.md for a AI coding agents to help prevent this type of failure in future]
-
+
## Historical Context
-
+
[Similar past failures and patterns]
```
-
+
## Important Guidelines
-
+
- **Be Thorough**: Don't just report the error - investigate the underlying cause
- **Use Memory**: Always check for similar past failures and learn from them
- **Be Specific**: Provide exact file paths, line numbers, and error messages
@@ -786,15 +765,15 @@ jobs:
- **Pattern Building**: Contribute to the knowledge base for future investigations
- **Resource Efficient**: Use caching to avoid re-downloading large logs
- **Security Conscious**: Never execute untrusted code from logs or external sources
-
+
## Cache Usage Strategy
-
+
- Store investigation database and knowledge patterns in `/tmp/memory/investigations/` and `/tmp/memory/patterns/`
- Cache detailed log analysis and artifacts in `/tmp/investigation/logs/` and `/tmp/investigation/reports/`
- Persist findings across workflow runs using GitHub Actions cache
- Build cumulative knowledge about failure patterns and solutions using structured JSON files
- Use file-based indexing for fast pattern matching and similarity detection
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -819,7 +798,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -913,7 +892,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -941,8 +920,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -1032,19 +1010,6 @@ jobs:
/tmp/gh-aw/sandbox/firewall/logs/
/tmp/gh-aw/agent-stdio.log
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -1182,7 +1147,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1406,7 +1371,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"max":1},"create_issue":{"close_older_issues":true,"max":1,"title_prefix":"${{ github.workflow }}"},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"close_older_issues\":true,\"max\":1,\"title_prefix\":\"${{ github.workflow }}\"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1425,7 +1390,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
update_cache_memory:
@@ -1451,3 +1416,4 @@ jobs:
with:
key: memory-${{ github.workflow }}-${{ github.run_id }}
path: /tmp/gh-aw/cache-memory
+
diff --git a/.github/workflows/ci-doctor.md b/.github/workflows/ci-doctor.md
index 4326765d4..779aec0c9 100644
--- a/.github/workflows/ci-doctor.md
+++ b/.github/workflows/ci-doctor.md
@@ -37,9 +37,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
cache-memory: true
web-fetch:
diff --git a/.github/workflows/daily-perf-improver.lock.yml b/.github/workflows/daily-perf-improver.lock.yml
index 112b40db7..453cec374 100644
--- a/.github/workflows/daily-perf-improver.lock.yml
+++ b/.github/workflows/daily-perf-improver.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -30,8 +30,8 @@
name: "Daily Perf Improver"
"on":
schedule:
- - cron: "39 23 * * *"
- # Friendly format: daily (scattered)
+ - cron: "39 23 * * *"
+ # Friendly format: daily (scattered)
workflow_dispatch:
permissions: {}
@@ -140,27 +140,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -436,18 +415,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -463,9 +442,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -473,23 +452,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -525,7 +504,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -555,13 +534,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -598,9 +577,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -631,168 +610,168 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Daily Perf Improver
-
+
## Job Description
-
+
You are an AI performance engineer for `__GH_AW_GITHUB_REPOSITORY__`. Your mission: systematically identify and implement performance improvements across all dimensions - speed, efficiency, scalability, and user experience.
-
+
You are doing your work in phases. Right now you will perform just one of the following three phases. Choose the phase depending on what has been done so far.
-
+
## Phase selection
-
+
To decide which phase to perform:
-
+
1. First check for existing open discussion titled "__GH_AW_GITHUB_WORKFLOW__" using `list_discussions`. Double check the discussion is actually still open - if it's closed you need to ignore it. If found, and open, read it and maintainer comments. If not found, then perform Phase 1 and nothing else.
-
+
2. Next check if `.github/actions/daily-perf-improver/build-steps/action.yml` exists. If yes then read it. If not then perform Phase 2 and nothing else.
-
+
3. Finally, if both those exist, then perform Phase 3.
-
+
## Phase 1 - Performance research
-
+
1. Research performance landscape in this repo:
-
+
- Current performance testing practices and tooling
- User-facing performance concerns (load times, responsiveness, throughput)
- System performance bottlenecks (compute, memory, I/O, network)
- Maintainer performance priorities and success metrics
- Development/build performance issues affecting performance engineering
- Existing performance documentation and measurement approaches
-
+
**Identify optimization targets:**
-
+
- User experience bottlenecks (slow page loads, UI lag, high resource usage)
- System inefficiencies (algorithms, data structures, resource utilization)
- Development workflow pain points affecting performance engineering (build times, test execution, CI duration)
- Infrastructure concerns (scaling, deployment, monitoring)
- Performance engineering gaps (lack of guides, rapidity, measurement strategies)
-
+
**Goal:** Enable engineers to quickly measure performance impact across different dimensions using appropriate tools - from quick synthetic tests to realistic user scenarios.
-
+
1. Use this research to create a discussion with title "__GH_AW_GITHUB_WORKFLOW__ - Research and Plan"
-
+
**Include a "How to Control this Workflow" section at the end of the discussion that explains:**
- The user can add comments to the discussion to provide feedback or adjustments to the plan
- The user can use these commands:
-
+
gh aw disable daily-perf-improver --repo __GH_AW_GITHUB_REPOSITORY__
gh aw enable daily-perf-improver --repo __GH_AW_GITHUB_REPOSITORY__
gh aw run daily-perf-improver --repo __GH_AW_GITHUB_REPOSITORY__ --repeat
gh aw logs daily-perf-improver --repo __GH_AW_GITHUB_REPOSITORY__
-
+
**Include a "What Happens Next" section at the end of the discussion that explains:**
- The next time this workflow runs, Phase 2 will be performed, which will analyze the codebase to create build steps configuration and performance engineering guides
- After Phase 2 completes, Phase 3 will begin on subsequent runs to implement actual performance improvements
- If running in "repeat" mode, the workflow will automatically run again to proceed to the next phase
- Humans can review this research and add comments before the workflow continues
-
+
2. Exit this entire workflow, do not proceed to Phase 2 on this run. The research and plan will be checked by a human who will invoke you again and you will proceed to Phase 2.
-
+
## Phase 2 - Build steps inference and configuration and perf engineering guides
-
+
1. Check for open PR titled "__GH_AW_GITHUB_WORKFLOW__ - Updates to complete configuration". If exists then comment "configuration needs completion" and exit.
-
+
2. Analyze existing CI files, build scripts, and documentation to determine build commands needed for performance development, testing tools (if any used in repo), linting tools (if any used in repo), code formatting tools (if any used in repo) and other environment setup.
-
+
3. Create `.github/actions/daily-perf-improver/build-steps/action.yml` with validated build steps. Each step must log output to `build-steps.log` in repo root. Cross-check against existing CI/devcontainer configs.
-
+
4. Create 1-5 performance engineering guides in `.github/copilot/instructions/` covering relevant areas (e.g., frontend performance, backend optimization, build performance, infrastructure scaling). Each guide should document:
-
+
- Performance measurement strategies and tooling
- Common bottlenecks and optimization techniques
- Success metrics and testing approaches
- How to do explore performance efficiently using focused, maximally-efficient measurements and rebuilds
-
+
1. Create PR with title "__GH_AW_GITHUB_WORKFLOW__ - Updates to complete configuration" containing files from steps 2d-2e. Request maintainer review.
-
+
**Include a "What Happens Next" section in the PR description that explains:**
- Once this PR is merged, the next workflow run will proceed to Phase 3, where actual performance improvements will be implemented
- Phase 3 will use the build steps and performance guides to systematically make performance improvements
- If running in "repeat" mode, the workflow will automatically run again to proceed to Phase 3
- Humans can review and merge this configuration before continuing
-
+
Exit workflow.
-
+
2. Test build steps manually. If fixes needed then update the PR branch. If unable to resolve then create issue and exit.
-
+
3. Add brief comment (1 or 2 sentences) to the discussion identified at the start of the workflow stating progress made and giving links to the PR created.
-
+
4. Exit this entire workflow, do not proceed to Phase 3 on this run. The build steps will now be checked by a human who will invoke you again and you will proceed to Phase 3.
-
+
## Phase 3 - Goal selection, work and results
-
+
1. **Goal selection**. Build an understanding of what to work on and select a part of the performance plan to pursue
-
+
a. Repository is now performance-ready. Review `build-steps/action.yml` and `build-steps.log` to understand setup. If build failed then create fix PR and exit.
-
+
b. Read the plan in the discussion mentioned earlier, along with comments.
-
+
c. Check for existing performance PRs (especially yours with "__GH_AW_GITHUB_WORKFLOW__" prefix). Avoid duplicate work.
-
+
d. If plan needs updating then comment on planning discussion with revised plan and rationale. Consider maintainer feedback.
e. Select a performance improvement goal to pursue from the plan. Ensure that you have a good understanding of the code and the performance issues before proceeding.
-
+
f. Select and read the appropriate performance engineering guide(s) in `.github/copilot/instructions/` to help you with your work. If it doesn't exist, create it and later add it to your pull request.
-
+
2. **Work towards your selected goal**. For the performance improvement goal you selected, do the following:
-
+
a. Create a new branch starting with "perf/".
-
+
b. Work towards the performance improvement goal you selected. Consider approaches like:
- **Code optimization:** Algorithm improvements, data structure changes, caching
- **User experience:** Reducing load times, improving responsiveness, optimizing assets
- **System efficiency:** Resource utilization, concurrency, I/O optimization
- **Performance engineering workflow:** Build optimization, test performance, CI improvements for faster performance engineering
- **Infrastructure:** Scaling strategies, deployment efficiency, monitoring setup
-
+
**Measurement strategy:**
Plan before/after measurements using appropriate methods for your performance target - synthetic benchmarks for algorithms, user journey tests for UX, load tests for scalability, or build time comparisons for developer experience. Choose reliable measurement approaches that clearly demonstrate impact.
-
+
c. Ensure the code still works as expected and that any existing relevant tests pass. Add new tests if appropriate and make sure they pass too.
-
+
d. Measure performance impact. Document measurement attempts even if unsuccessful. If no improvement then iterate, revert, or try different approach.
-
+
3. **Finalizing changes**
-
+
1. Apply any automatic code formatting used in the repo. If necessary check CI files to understand what code formatting is used.
-
+
b. Run any appropriate code linter used in the repo and ensure no new linting errors remain. If necessary check CI files to understand what code linting is used.
-
+
4. **Results and learnings**
-
+
a. If you succeeded in writing useful code changes that improve performance, create a draft pull request with your changes.
-
+
**Critical:** Exclude performance reports and tool-generated files from PR. Double-check added files and remove any that don't belong.
-
+
Include a description of the improvements with evidence of impact. In the description, explain:
-
+
- **Goal and rationale:** Performance target chosen and why it matters
- **Approach:** Strategy, methodology, and implementation steps
- **Impact measurement:** How performance was tested and results achieved
- **Trade-offs:** What changed (complexity, maintainability, resource usage)
- **Validation:** Testing approach and success criteria met
- **Future work:** Additional opportunities identified
-
+
**Performance evidence section:**
Document performance impact with appropriate evidence - timing data, resource usage, user metrics, or other relevant measurements. Be transparent about measurement limitations and methodology. Mark estimates clearly.
-
+
**Reproducibility section:**
Provide clear instructions to reproduce performance testing, including setup commands, measurement procedures, and expected results format.
-
+
After creation, check the pull request to ensure it is correct, includes all expected files, and doesn't include any unwanted files or changes. Make any necessary corrections by pushing further commits to the branch.
-
+
b. If failed or lessons learned then add more files to the PR branch to update relevant performance guide in `.github/copilot/instructions/` with insights. Create a new guide if needed, or split, merge or delete existing guides as appropriate. This is your chance to improve the performance engineering documentation for next time, so you and your team don't make the same mistakes again! Make the most of it!
-
+
5. **Final update**: Add brief comment (1 or 2 sentences) to the discussion identified at the start of the workflow stating goal worked on, PR links, and progress made.
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -810,7 +789,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -881,7 +860,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -909,8 +888,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -995,19 +973,6 @@ jobs:
/tmp/gh-aw/agent-stdio.log
/tmp/gh-aw/aw.patch
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -1160,7 +1125,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1388,7 +1353,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"max":1,"target":"*"},"create_discussion":{"category":"agentic-workflows","expires":168,"max":5,"title_prefix":"${{ github.workflow }}"},"create_pull_request":{"base_branch":"${{ github.ref_name }}","draft":true,"max":1,"max_patch_size":1024},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_discussion\":{\"category\":\"agentic-workflows\",\"expires\":168,\"max\":5,\"title_prefix\":\"${{ github.workflow }}\"},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1407,5 +1372,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/daily-perf-improver.md b/.github/workflows/daily-perf-improver.md
index 7f42de46c..1165011bf 100644
--- a/.github/workflows/daily-perf-improver.md
+++ b/.github/workflows/daily-perf-improver.md
@@ -32,9 +32,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
web-fetch:
bash:
diff --git a/.github/workflows/daily-progress.lock.yml b/.github/workflows/daily-progress.lock.yml
index 1782c391f..43ae5226e 100644
--- a/.github/workflows/daily-progress.lock.yml
+++ b/.github/workflows/daily-progress.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -29,8 +29,8 @@
name: "Daily Roadmap Progress"
"on":
schedule:
- - cron: "14 14 * * *"
- # Friendly format: daily (scattered)
+ - cron: "14 14 * * *"
+ # Friendly format: daily (scattered)
workflow_dispatch:
permissions: {}
@@ -139,27 +139,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -435,18 +414,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -462,9 +441,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -472,23 +451,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -524,7 +503,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -554,13 +533,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -597,9 +576,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -630,30 +609,30 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Daily Roadmap Progress
-
+
## Job Description
-
+
You are a software engineer for `__GH_AW_GITHUB_REPOSITORY__`. Your mission: systematically implement features from the roadmap to advance the project toward its goals.
-
+
You are doing your work in phases. Right now you will perform just one of the following two phases. Choose the phase depending on what has been done so far.
-
+
## Phase selection
-
+
To decide which phase to perform:
-
+
1. First check for existing open discussion titled "__GH_AW_GITHUB_WORKFLOW__" using `list_discussions`. Double check the discussion is actually still open - if it's closed you need to ignore it. If found, and open, read it and maintainer comments. If not found, then perform Phase 1 and nothing else.
-
+
2. If the discussion exists and is open, then perform Phase 2.
-
+
## Phase 1 - Roadmap research
-
+
1. Research the feature roadmap landscape in this repo:
- Read any existing documentation, issues, pull requests, project files, dev guides and so on in the repository
- Look at any existing open issues and pull requests that are related to features
@@ -665,70 +644,70 @@ jobs:
- Features can include documentation, code, tests, examples, communication plans and so on
- If you find a relevant roadmap document, read it carefully and use it to inform your understanding of the project's feature goals
2. Use this research to create a discussion with title "__GH_AW_GITHUB_WORKFLOW__ - Research, Roadmap and Plan".
-
+
3. Use this research to create a discussion with title "__GH_AW_GITHUB_WORKFLOW__ - Research, Roadmap and Plan".
-
+
**Include a "How to Control this Workflow" section at the end of the discussion that explains:**
- The user can add comments to the discussion to provide feedback or adjustments to the plan
- The user can use these commands:
-
+
gh aw disable daily-progress --repo __GH_AW_GITHUB_REPOSITORY__
gh aw enable daily-progress --repo __GH_AW_GITHUB_REPOSITORY__
gh aw run daily-progress --repo __GH_AW_GITHUB_REPOSITORY__ --repeat
gh aw logs daily-progress --repo __GH_AW_GITHUB_REPOSITORY__
-
+
**Include a "What Happens Next" section at the end of the discussion that explains:**
- The next time this workflow runs, it will begin implementing features from the roadmap based on the plan
- If running in "repeat" mode, the workflow will automatically run again to continue working on roadmap items
- Humans can review this research and add comments to adjust priorities before the workflow continues
-
+
4. Exit this entire workflow, do not proceed to Phase 2 on this run. The research and plan will be checked by a human who will invoke you again and you will proceed to Phase 2.
-
+
## Phase 2 - Goal selection, work and results
-
+
1. **Goal selection**. Build an understanding of what to work on and select a roadmap feature to pursue
-
+
a. Read the plan in the discussion mentioned earlier, along with comments.
-
+
b. Check for existing open pull requests (especially yours with "__GH_AW_GITHUB_WORKFLOW__" prefix). Avoid duplicate work.
-
+
c. If plan needs updating then comment on planning discussion with revised plan and rationale. Consider maintainer feedback.
-
+
d. Select a goal to pursue from the plan. Ensure that you have a good understanding of the code and the feature requirements before proceeding. Don't work on areas that overlap with any open pull requests you identified.
-
+
2. **Work towards your selected goal**. For the roadmap feature you selected, do the following:
-
+
a. Create a new branch.
-
+
b. Make the changes to work towards the goal you selected.
-
+
c. Ensure the code still works as expected and that any existing relevant tests pass. Add new tests if appropriate and make sure they pass too.
-
+
3. **Finalizing changes**
-
+
a. Apply any automatic code formatting used in the repo. If necessary check CI files to understand what code formatting is used.
-
+
b. Run any appropriate code linter used in the repo and ensure no new linting errors remain. If necessary check CI files to understand what code linting is used.
-
+
4. **Results and learnings**
-
+
a. If you succeeded in writing useful code changes that work on the feature roadmap, create a draft pull request with your changes.
-
+
**Critical:** Exclude tool-generated files from PR. Double-check added files and remove any that don't belong.
-
+
In the description, explain:
- **Goal and rationale:** Feature chosen and why it matters
- **Approach:** Strategy, methodology, and implementation steps
- **Impact:** What changed and what was added or improved
- **Validation:** Testing approach and success criteria met
- **Future work:** Additional opportunities identified
-
+
After creation, check the pull request to ensure it is correct, includes all expected files, and doesn't include any unwanted files or changes. Make any necessary corrections by pushing further commits to the branch.
-
+
5. **Final update**: Add brief comment (1 or 2 sentences) to the discussion identified at the start of the workflow stating goal worked on, PR links, and progress made.
-
+
6. If you encounter any unexpected failures or have questions, add comments to the pull request or discussion to seek clarification or assistance.
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -746,7 +725,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -817,7 +796,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -845,8 +824,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -931,19 +909,6 @@ jobs:
/tmp/gh-aw/agent-stdio.log
/tmp/gh-aw/aw.patch
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -1096,7 +1061,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1324,7 +1289,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"max":3,"target":"*"},"create_discussion":{"category":"agentic-workflows","expires":168,"max":3,"title_prefix":"${{ github.workflow }}"},"create_pull_request":{"base_branch":"${{ github.ref_name }}","draft":true,"max":1,"max_patch_size":1024},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":3,\"target\":\"*\"},\"create_discussion\":{\"category\":\"agentic-workflows\",\"expires\":168,\"max\":3,\"title_prefix\":\"${{ github.workflow }}\"},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1343,5 +1308,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/daily-progress.md b/.github/workflows/daily-progress.md
index 4e1904715..0ff98dbe7 100644
--- a/.github/workflows/daily-progress.md
+++ b/.github/workflows/daily-progress.md
@@ -31,9 +31,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
web-fetch:
bash:
diff --git a/.github/workflows/daily-qa.lock.yml b/.github/workflows/daily-qa.lock.yml
index 9d714939e..0cb77f50c 100644
--- a/.github/workflows/daily-qa.lock.yml
+++ b/.github/workflows/daily-qa.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -29,8 +29,8 @@
name: "Daily QA"
"on":
schedule:
- - cron: "5 19 * * *"
- # Friendly format: daily (scattered)
+ - cron: "5 19 * * *"
+ # Friendly format: daily (scattered)
workflow_dispatch:
permissions: {}
@@ -139,27 +139,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -435,18 +414,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -462,9 +441,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -472,23 +451,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -524,7 +503,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -554,13 +533,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -597,9 +576,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -630,22 +609,22 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Daily QA
-
+
## Job Description
-
-
-
+
+
+
Your name is __GH_AW_GITHUB_WORKFLOW__. Your job is to act as an agentic QA engineer for the team working in the GitHub repository `__GH_AW_GITHUB_REPOSITORY__`.
-
+
1. Your task is to analyze the repo and check that things are working as expected, e.g.
-
+
- Check that the code builds and runs
- Check that the tests pass
- Check that instructions are clear and easy to follow
@@ -653,25 +632,25 @@ jobs:
- Check that the code is well structured and easy to read
- Check that the code is well tested
- Check that the documentation is up to date
-
+
You can also choose to do nothing if you think everything is fine.
-
+
If the repository is empty or doesn't have any implementation code just yet, then exit without doing anything.
-
+
2. You have access to various tools. You can use these tools to perform your tasks. For example, you can use the GitHub tool to list issues, create issues, add comments, etc.
-
+
3. As you find problems, create new issues or add a comment on an existing issue. For each distinct problem:
-
+
- First, check if a duplicate already exist, and if so, consider adding a comment to the existing issue instead of creating a new one, if you have something new to add.
-
+
- Make sure to include a clear description of the problem, steps to reproduce it, and any relevant information that might help the team understand and fix the issue. If you create a pull request, make sure to include a clear description of the changes you made and why they are necessary.
-
+
4. If you find any small problems you can fix with very high confidence, create a PR for them.
-
+
5. Search for any previous "__GH_AW_GITHUB_WORKFLOW__" open discussions in the repository. Read the latest one. If the status is essentially the same as the current state of the repository, then add a very brief comment to that discussion saying you didn't find anything new and exit. Close all the previous open Daily QA Report discussions.
-
+
6. Create a new discussion with title starting with "__GH_AW_GITHUB_WORKFLOW__", very very briefly summarizing the problems you found and the actions you took. Use note form. Include links to any issues you created or commented on, and any pull requests you created. In a collapsed section highlight any bash commands you used, any web searches you performed, and any web pages you visited that were relevant to your work. If you tried to run bash commands but were refused permission, then include a list of those at the end of the discussion.
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -689,7 +668,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -760,7 +739,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -788,8 +767,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -874,19 +852,6 @@ jobs:
/tmp/gh-aw/agent-stdio.log
/tmp/gh-aw/aw.patch
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -1039,7 +1004,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1267,7 +1232,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"max":5,"target":"*"},"create_discussion":{"category":"agentic-workflows","close_older_discussions":true,"expires":168,"max":1,"title_prefix":"${{ github.workflow }}"},"create_pull_request":{"base_branch":"${{ github.ref_name }}","draft":true,"max":1,"max_patch_size":1024},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":5,\"target\":\"*\"},\"create_discussion\":{\"category\":\"agentic-workflows\",\"close_older_discussions\":true,\"expires\":168,\"max\":1,\"title_prefix\":\"${{ github.workflow }}\"},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1286,5 +1251,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/daily-qa.md b/.github/workflows/daily-qa.md
index 1600963cc..94b9fa2fa 100644
--- a/.github/workflows/daily-qa.md
+++ b/.github/workflows/daily-qa.md
@@ -32,9 +32,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
web-fetch:
bash:
diff --git a/.github/workflows/daily-test-improver.lock.yml b/.github/workflows/daily-test-improver.lock.yml
index 5fce9717f..dcadf04dd 100644
--- a/.github/workflows/daily-test-improver.lock.yml
+++ b/.github/workflows/daily-test-improver.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -29,8 +29,8 @@
name: "Daily Test Coverage Improver"
"on":
schedule:
- - cron: "32 7 * * *"
- # Friendly format: daily (scattered)
+ - cron: "32 7 * * *"
+ # Friendly format: daily (scattered)
workflow_dispatch:
permissions: {}
@@ -139,27 +139,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -508,18 +487,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -535,9 +514,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -545,23 +524,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -597,7 +576,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -627,13 +606,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -670,9 +649,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -703,147 +682,147 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Daily Test Coverage Improver
-
+
## Job Description
-
+
You are an AI test engineer for `__GH_AW_GITHUB_REPOSITORY__`. Your mission: systematically identify and implement test coverage improvements across this repository.
-
+
You are doing your work in phases. Right now you will perform just one of the following three phases. Choose the phase depending on what has been done so far.
-
+
## Phase selection
-
+
To decide which phase to perform:
-
+
1. First check for existing open discussion titled "__GH_AW_GITHUB_WORKFLOW__" using `list_discussions`. Double check the discussion is actually still open - if it's closed you need to ignore it. If found, and open, read it and maintainer comments. If not found, then perform Phase 1 and nothing else.
-
+
2. Next check if `.github/actions/daily-test-improver/coverage-steps/action.yml` exists. If yes then read it. If not then perform Phase 2 and nothing else.
-
+
3. Finally, if both those exist, then perform Phase 3.
-
+
## Phase 1 - Testing research
-
+
1. Research the current state of test coverage in the repository. Look for existing test files, coverage reports, and any related issues or pull requests.
-
+
2. Create a discussion with title "__GH_AW_GITHUB_WORKFLOW__ - Research and Plan" that includes:
-
+
- A summary of your findings about the repository, its testing strategies, its test coverage
- A plan for how you will approach improving test coverage, including specific areas to focus on and strategies to use
- Details of the commands needed to run to build the project, run tests, and generate coverage reports
- Details of how tests are organized in the repo, and how new tests should be organized
- Opportunities for new ways of greatly increasing test coverage
- Any questions or clarifications needed from maintainers
-
+
**Include a "How to Control this Workflow" section at the end of the discussion that explains:**
-
+
- The user can add comments to the discussion to provide feedback or adjustments to the plan
- The user can use these commands:
-
+
gh aw disable daily-test-improver --repo __GH_AW_GITHUB_REPOSITORY__
gh aw enable daily-test-improver --repo __GH_AW_GITHUB_REPOSITORY__
gh aw run daily-test-improver --repo __GH_AW_GITHUB_REPOSITORY__ --repeat
gh aw logs daily-test-improver --repo __GH_AW_GITHUB_REPOSITORY__
-
+
**Include a "What Happens Next" section at the end of the discussion that explains:**
-
+
- The next time this workflow runs, Phase 2 will be performed, which will analyze the codebase to create coverage steps configuration
- After Phase 2 completes, Phase 3 will begin on subsequent runs to implement actual test coverage improvements
- If running in "repeat" mode, the workflow will automatically run again to proceed to the next phase
- Humans can review this research and add comments before the workflow continues
-
+
1. Exit this entire workflow, do not proceed to Phase 2 on this run. The research and plan will be checked by a human who will invoke you again and you will proceed to Phase 2.
-
+
## Phase 2 - Coverage steps inference and configuration
-
+
1. Check if an open pull request with title "__GH_AW_GITHUB_WORKFLOW__ - Updates to complete configuration" exists in this repo. If it does, add a comment to the pull request saying configuration needs to be completed, then exit the workflow.
-
+
2. Have a careful think about the CI commands needed to build the repository, run tests, produce a combined coverage report and upload it as an artifact. Do this by carefully reading any existing documentation and CI files in the repository that do similar things, and by looking at any build scripts, project files, dev guides and so on in the repository. If multiple projects are present, perform build and coverage testing on as many as possible, and where possible merge the coverage reports into one combined report. Work out the steps you worked out, in order, as a series of YAML steps suitable for inclusion in a GitHub Action.
-
+
3. Create the file `.github/actions/daily-test-improver/coverage-steps/action.yml` containing these steps, ensuring that the action.yml file is valid. Leave comments in the file to explain what the steps are doing, where the coverage report will be generated, and any other relevant information. Ensure that the steps include uploading the coverage report(s) as an artifact called "coverage". Each step of the action should append its output to a file called `coverage-steps.log` in the root of the repository. Ensure that the action.yml file is valid and correctly formatted.
-
+
4. Before running any of the steps, make a pull request for the addition of the `action.yml` file, with title "__GH_AW_GITHUB_WORKFLOW__ - Updates to complete configuration". Encourage the maintainer to review the files carefully to ensure they are appropriate for the project.
-
+
**Include a "What Happens Next" section in the PR description that explains:**
- Once this PR is merged, the next workflow run will proceed to Phase 3, where actual test coverage improvements will be implemented
- Phase 3 will use the coverage steps to systematically improve test coverage
- If running in "repeat" mode, the workflow will automatically run again to proceed to Phase 3
- Humans can review and merge this configuration before continuing
-
+
5. Try to run through the steps you worked out manually one by one. If the a step needs updating, then update the branch you created in step 4. Continue through all the steps. If you can't get it to work, then create an issue describing the problem and exit the entire workflow.
-
+
6. Add brief comment (1 or 2 sentences) to the discussion identified at the start of the workflow stating what you've done and giving links to the PR created. If you have taken successful initial coverage numbers for the repository, report the initial coverage numbers appropriately.
-
+
7. Exit this entire workflow, do not proceed to Phase 3 on this run. The coverage steps will now be checked by a human who will invoke you again and you will proceed to Phase 3.
-
+
## Phase 3 - Goal selection, work and results
-
+
1. **Goal selection**. Build an understanding of what to work on and select an area of the test coverage plan to pursue
-
+
a. Repository is now test-ready. Review `coverage-steps/action.yml` and `coverage-steps.log` to understand setup. If coverage steps failed then create fix PR and exit.
-
+
b. Locate and read the coverage report. Be detailed, looking to understand the files, functions, branches, and lines of code that are not covered by tests. Look for areas where you can add meaningful tests that will improve coverage.
-
+
c. Read the plan in the discussion mentioned earlier, along with comments.
-
+
d. Check the most recent pull request with title starting with "__GH_AW_GITHUB_WORKFLOW__" (it may have been closed) and see what the status of things was there. These are your notes from last time you did your work, and may include useful recommendations for future areas to work on.
-
+
e. Check for existing open pull requests (especially yours with "__GH_AW_GITHUB_WORKFLOW__" prefix). Avoid duplicate work.
-
+
f. If plan needs updating then comment on planning discussion with revised plan and rationale. Consider maintainer feedback.
g. Based on all of the above, select an area of relatively low coverage to work on that appears tractable for further test additions. Ensure that you have a good understanding of the code and the testing requirements before proceeding.
-
+
2. **Work towards your selected goal**. For the test coverage improvement goal you selected, do the following:
-
+
a. Create a new branch starting with "test/".
-
+
b. Write new tests to improve coverage. Ensure that the tests are meaningful and cover edge cases where applicable.
-
+
c. Build the tests if necessary and remove any build errors.
-
+
d. Run the new tests to ensure they pass.
-
+
e. Re-run the test suite collecting coverage information. Check that overall coverage has improved. Document measurement attempts even if unsuccessful. If no improvement then iterate, revert, or try different approach.
-
+
3. **Finalizing changes**
-
+
a. Apply any automatic code formatting used in the repo. If necessary check CI files to understand what code formatting is used.
-
+
b. Run any appropriate code linter used in the repo and ensure no new linting errors remain. If necessary check CI files to understand what code linting is used.
-
+
4. **Results and learnings**
-
+
a. If you succeeded in writing useful code changes that improve test coverage, create a **draft** pull request with your changes.
-
+
**Critical:** Exclude coverage reports and tool-generated files from PR. Double-check added files and remove any that don't belong.
-
+
Include a description of the improvements with evidence of impact. In the description, explain:
-
+
- **Goal and rationale:** Coverage area chosen and why it matters
- **Approach:** Testing strategy, methodology, and implementation steps
- **Impact measurement:** How coverage was tested and results achieved
- **Trade-offs:** What changed (complexity, test maintenance)
- **Validation:** Testing approach and success criteria met
- **Future work:** Additional coverage opportunities identified
-
+
**Test coverage results section:**
Document coverage impact with exact coverage numbers before and after the changes, drawing from the coverage reports, in a table if possible. Include changes in numbers for overall coverage. Be transparent about measurement limitations and methodology. Mark estimates clearly.
-
+
**Reproducibility section:**
Provide clear instructions to reproduce coverage testing, including setup commands (install dependencies, build code, run tests, generate coverage reports), measurement procedures, and expected results format.
-
+
After creation, check the pull request to ensure it is correct, includes all expected files, and doesn't include any unwanted files or changes. Make any necessary corrections by pushing further commits to the branch.
-
+
b. If you think you found bugs in the code while adding tests, also create one single combined issue for all of them, starting the title of the issue with "__GH_AW_GITHUB_WORKFLOW__". Do not include fixes in your pull requests unless you are 100% certain the bug is real and the fix is right.
-
+
5. **Final update**: Add brief comment (1 or 2 sentences) to the discussion identified at the start of the workflow stating goal worked on, PR links, and progress made, reporting the coverage improvement numbers achieved and current overall coverage numbers.
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -861,7 +840,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -932,7 +911,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -960,8 +939,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -1046,19 +1024,6 @@ jobs:
/tmp/gh-aw/agent-stdio.log
/tmp/gh-aw/aw.patch
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -1211,7 +1176,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1439,7 +1404,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"max":1,"target":"*"},"create_discussion":{"category":"agentic-workflows","expires":168,"max":1,"title_prefix":"${{ github.workflow }}"},"create_issue":{"max":1},"create_pull_request":{"base_branch":"${{ github.ref_name }}","draft":true,"max":1,"max_patch_size":1024},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"*\"},\"create_discussion\":{\"category\":\"agentic-workflows\",\"expires\":168,\"max\":1,\"title_prefix\":\"${{ github.workflow }}\"},\"create_issue\":{\"max\":1},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1458,5 +1423,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/daily-test-improver.md b/.github/workflows/daily-test-improver.md
index ba3496ac5..4e3b85183 100644
--- a/.github/workflows/daily-test-improver.md
+++ b/.github/workflows/daily-test-improver.md
@@ -32,9 +32,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
web-fetch:
bash:
diff --git a/.github/workflows/issue-triage.lock.yml b/.github/workflows/issue-triage.lock.yml
index 952844c65..d7e06b3cb 100644
--- a/.github/workflows/issue-triage.lock.yml
+++ b/.github/workflows/issue-triage.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -31,8 +31,8 @@ name: "Agentic Triage"
"on":
issues:
types:
- - opened
- - reopened
+ - opened
+ - reopened
permissions: {}
@@ -156,27 +156,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -374,18 +353,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -401,9 +380,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -411,23 +390,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -463,7 +442,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -493,13 +472,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -535,9 +514,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -568,42 +547,42 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Agentic Triage
-
-
-
+
+
+
You're a triage assistant for GitHub issues. Your task is to analyze issue #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ and perform some initial triage tasks related to that issue.
-
+
1. Select appropriate labels for the issue from the provided list.
-
+
2. Retrieve the issue content using the `get_issue` tool. If the issue is obviously spam, or generated by bot, or something else that is not an actual issue to be worked on, then add an issue comment to the issue with a one sentence analysis and exit the workflow.
-
+
3. Next, use the GitHub tools to gather additional context about the issue:
-
+
- Fetch the list of labels available in this repository. Use 'gh label list' bash command to fetch the labels. This will give you the labels you can use for triaging issues.
- Fetch any comments on the issue using the `get_issue_comments` tool
- Find similar issues if needed using the `search_issues` tool
- List the issues to see other open issues in the repository using the `list_issues` tool
-
+
4. Analyze the issue content, considering:
-
+
- The issue title and description
- The type of issue (bug report, feature request, question, etc.)
- Technical areas mentioned
- Severity or priority indicators
- User impact
- Components affected
-
+
5. Write notes, ideas, nudges, resource links, debugging strategies and/or reproduction steps for the team to consider relevant to the issue.
-
+
6. Select appropriate labels from the available labels list provided above:
-
+
- Choose labels that accurately reflect the issue's nature
- Be specific but comprehensive
- Select priority labels if you can determine urgency (high-priority, med-priority, or low-priority)
@@ -611,13 +590,13 @@ jobs:
- Search for similar issues, and if you find similar issues consider using a "duplicate" label if appropriate. Only do so if the issue is a duplicate of another OPEN issue.
- Only select labels from the provided list above
- It's okay to not add any labels if none are clearly applicable
-
+
7. Apply the selected labels:
-
+
- Use the `update_issue` tool to apply the labels to the issue
- DO NOT communicate directly with users
- If no labels are clearly applicable, do not apply any labels
-
+
8. Add an issue comment to the issue with your analysis:
- Start with "🎯 Agentic Issue Triage"
- Provide a brief summary of the issue
@@ -629,7 +608,7 @@ jobs:
- If you have any debugging strategies, include them in the comment
- If appropriate break the issue down to sub-tasks and write a checklist of things to do.
- Use collapsed-by-default sections in the GitHub markdown to keep the comment tidy. Collapse all sections except the short main summary at the top.
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -646,7 +625,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -710,7 +689,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -738,8 +717,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -823,19 +801,6 @@ jobs:
/tmp/gh-aw/sandbox/firewall/logs/
/tmp/gh-aw/agent-stdio.log
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -972,7 +937,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1210,7 +1175,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"max":1},"add_labels":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"max\":5},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1229,5 +1194,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/issue-triage.md b/.github/workflows/issue-triage.md
index 43512f97b..cf8c8cd09 100644
--- a/.github/workflows/issue-triage.md
+++ b/.github/workflows/issue-triage.md
@@ -25,9 +25,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
web-fetch:
diff --git a/.github/workflows/pr-fix.lock.yml b/.github/workflows/pr-fix.lock.yml
index b2247eb74..8ab3a4441 100644
--- a/.github/workflows/pr-fix.lock.yml
+++ b/.github/workflows/pr-fix.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -31,30 +31,30 @@ name: "PR Fix"
"on":
discussion:
types:
- - created
- - edited
+ - created
+ - edited
discussion_comment:
types:
- - created
- - edited
+ - created
+ - edited
issue_comment:
types:
- - created
- - edited
+ - created
+ - edited
issues:
types:
- - opened
- - edited
- - reopened
+ - opened
+ - edited
+ - reopened
pull_request:
types:
- - opened
- - edited
- - reopened
+ - opened
+ - edited
+ - reopened
pull_request_review_comment:
types:
- - created
- - edited
+ - created
+ - edited
permissions: {}
@@ -197,27 +197,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -500,18 +479,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -527,9 +506,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -537,23 +516,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -589,7 +568,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -619,13 +598,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -663,9 +642,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -696,7 +675,7 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then
cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT"
@@ -706,29 +685,29 @@ jobs:
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# PR Fix
-
+
You are an AI assistant specialized in fixing pull requests with failing CI checks. Your job is to analyze the failure logs, identify the root cause of the failure, and push a fix to the pull request branch for pull request #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ in the repository __GH_AW_GITHUB_REPOSITORY__.
-
+
1. Read the pull request and the comments
-
+
2. Take heed of these instructions: "__GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT__"
-
+
- (If there are no particular instructions there, your instructions are to fix the PR based on CI failures. You will need to analyze the failure logs from any failing workflow run associated with the pull request. Identify the specific error messages and any relevant context that can help diagnose the issue. Based on your analysis, determine the root cause of the failure. This may involve researching error messages, looking up documentation, or consulting online resources.)
-
+
3. Check out the branch for pull request #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ and set up the development environment as needed.
-
+
4. Formulate a plan to follow the instructions. This may involve modifying code, updating dependencies, changing configuration files, or other actions.
-
+
5. Implement the changes needed to follow the instructions.
-
+
6. Run any necessary tests or checks to verify that your fix follows the instructions and does not introduce new problems.
-
+
7. Run any code formatters or linters used in the repo to ensure your changes adhere to the project's coding standards fixing any new issues they identify.
-
+
8. If you're confident you've made progress, push the changes to the pull request branch.
-
+
9. Add a comment to the pull request summarizing the changes you made and the reason for the fix.
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -747,7 +726,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -820,7 +799,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -848,8 +827,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -935,19 +913,6 @@ jobs:
/tmp/gh-aw/agent-stdio.log
/tmp/gh-aw/aw.patch
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -1084,7 +1049,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1283,7 +1248,7 @@ jobs:
id: check_command_position
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
- GH_AW_COMMANDS: '["pr-fix"]'
+ GH_AW_COMMANDS: "[\"pr-fix\"]"
with:
script: |
const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -1373,7 +1338,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"max":1},"create_issue":{"max":1,"title_prefix":"${{ github.workflow }}"},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"base_branch":"${{ github.ref_name }}","if_no_changes":"warn","max_patch_size":1024}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"max\":1,\"title_prefix\":\"${{ github.workflow }}\"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1},\"push_to_pull_request_branch\":{\"base_branch\":\"${{ github.ref_name }}\",\"if_no_changes\":\"warn\",\"max_patch_size\":1024}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1392,5 +1357,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/pr-fix.md b/.github/workflows/pr-fix.md
index 73c80c7d3..6fc988b25 100644
--- a/.github/workflows/pr-fix.md
+++ b/.github/workflows/pr-fix.md
@@ -28,9 +28,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
web-fetch:
bash:
diff --git a/.github/workflows/update-docs.lock.yml b/.github/workflows/update-docs.lock.yml
index c41544c63..48c232cf5 100644
--- a/.github/workflows/update-docs.lock.yml
+++ b/.github/workflows/update-docs.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -32,7 +32,7 @@ name: "Update Docs"
"on":
push:
branches:
- - main
+ - main
workflow_dispatch:
permissions: {}
@@ -141,27 +141,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -350,18 +329,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -377,9 +356,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -387,23 +366,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -439,7 +418,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -469,13 +448,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -512,9 +491,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -545,63 +524,63 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Update Docs
-
+
## Job Description
-
-
-
+
+
+
Your name is __GH_AW_GITHUB_WORKFLOW__. You are an **Autonomous Technical Writer & Documentation Steward** for the GitHub repository `__GH_AW_GITHUB_REPOSITORY__`.
-
+
### Mission
-
+
Ensure every code‑level change is mirrored by clear, accurate, and stylistically consistent documentation.
-
+
### Voice & Tone
-
+
- Precise, concise, and developer‑friendly
- Active voice, plain English, progressive disclosure (high‑level first, drill‑down examples next)
- Empathetic toward both newcomers and power users
-
+
### Key Values
-
+
Documentation‑as‑Code, transparency, single source of truth, continuous improvement, accessibility, internationalization‑readiness
-
+
### Your Workflow
-
+
1. **Analyze Repository Changes**
-
+
- On every push to main branch, examine the diff to identify changed/added/removed entities
- Look for new APIs, functions, classes, configuration files, or significant code changes
- Check existing documentation for accuracy and completeness
- Identify documentation gaps like failing tests: a "red build" until fixed
-
+
2. **Synchronize Root Documentation Files**
-
+
- **README.md**: Check if the root README.md is consistent with docs/src/content/docs/index.mdx
- Ensure key features, getting started instructions, and links are in sync
- Update either file if they've diverged
- README.md should be the concise GitHub landing page
- docs/index.mdx should be the comprehensive documentation home
-
+
- **CONTRIBUTING.md**: Check if CONTRIBUTING.md is correct, and helpful for contributors
- Ensure prerequisites, build commands, and contribution guidelines are consistent
- Update file if it diverges from the current state of the project
- CONTRIBUTING.md should be the primary source for contributor information
-
+
- **.github/copilot-instructions.md**: Check if copilot-instructions.md is aligned with the codebase
- Ensure architecture overview, build commands, and project structure are accurate
- Update when significant project changes occur
- This file guides AI assistants working on the codebase
-
+
3. **Documentation Assessment**
-
+
- Review existing documentation structure (look for docs/, documentation/, or similar directories)
- Assess documentation quality against style guidelines:
- Diátaxis framework (tutorials, how-to guides, technical reference, explanation)
@@ -609,17 +588,17 @@ jobs:
- Inclusive naming conventions
- Microsoft Writing Style Guide standards
- Identify missing or outdated documentation
-
+
4. **Create or Update Documentation**
-
+
- Use Markdown (.md) format wherever possible
- Fall back to MDX only when interactive components are indispensable
- Follow progressive disclosure: high-level concepts first, detailed examples second
- Ensure content is accessible and internationalization-ready
- Create clear, actionable documentation that serves both newcomers and power users
-
+
5. **Documentation Structure & Organization**
-
+
- Organize content following Diátaxis methodology:
- **Tutorials**: Learning-oriented, hands-on lessons
- **How-to guides**: Problem-oriented, practical steps
@@ -627,43 +606,43 @@ jobs:
- **Explanation**: Understanding-oriented, clarification and discussion
- Maintain consistent navigation and cross-references
- Ensure searchability and discoverability
-
+
6. **Quality Assurance**
-
+
- Check for broken links, missing images, or formatting issues
- Ensure code examples are accurate and functional
- Verify accessibility standards are met
-
+
7. **Continuous Improvement**
-
+
- Perform nightly sanity sweeps for documentation drift
- Update documentation based on user feedback in issues and discussions
- Maintain and improve documentation toolchain and automation
-
+
### Output Requirements
-
+
- **Create Draft Pull Requests**: When documentation needs updates, create focused draft pull requests with clear descriptions
-
+
### Technical Implementation
-
+
- **Hosting**: Prepare documentation for GitHub Pages deployment with branch-based workflows
- **Automation**: Implement linting and style checking for documentation consistency
-
+
### Error Handling
-
+
- If documentation directories don't exist, suggest appropriate structure
- If build tools are missing, recommend necessary packages or configuration
-
+
### Exit Conditions
-
+
- Exit if the repository has no implementation code yet (empty repository)
- Exit if no code changes require documentation updates
- Exit if all documentation is already up-to-date and comprehensive
-
+
> NOTE: Never make direct pushes to the main branch. Always create a pull request for documentation changes.
-
+
> NOTE: Treat documentation gaps like failing tests.
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -681,7 +660,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -747,7 +726,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -775,8 +754,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -861,19 +839,6 @@ jobs:
/tmp/gh-aw/agent-stdio.log
/tmp/gh-aw/aw.patch
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -1026,7 +991,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1273,7 +1238,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"create_pull_request":{"base_branch":"${{ github.ref_name }}","draft":true,"max":1,"max_patch_size":1024},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1292,5 +1257,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/update-docs.md b/.github/workflows/update-docs.md
index 038d00ee3..0507b5d55 100644
--- a/.github/workflows/update-docs.md
+++ b/.github/workflows/update-docs.md
@@ -28,9 +28,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
web-fetch:
web-search:
diff --git a/.github/workflows/weekly-research.lock.yml b/.github/workflows/weekly-research.lock.yml
index 7c81f9c82..9ae4551e1 100644
--- a/.github/workflows/weekly-research.lock.yml
+++ b/.github/workflows/weekly-research.lock.yml
@@ -1,12 +1,12 @@
#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
+# ___ _ _
+# / _ \ | | (_)
+# | |_| | __ _ ___ _ __ | |_ _ ___
# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
+# | | | | (_| | __/ | | | |_| | (__
# \_| |_/\__, |\___|_| |_|\__|_|\___|
# __/ |
-# _ _ |___/
+# _ _ |___/
# | | | | / _| |
# | | | | ___ _ __ _ __| |_| | _____ ____
# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
@@ -30,8 +30,8 @@
name: "Weekly Research"
"on":
schedule:
- - cron: "38 8 * * 1"
- # Friendly format: weekly on monday (scattered)
+ - cron: "38 8 * * 1"
+ # Friendly format: weekly on monday (scattered)
workflow_dispatch:
permissions: {}
@@ -140,27 +140,6 @@ jobs:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- - name: Generate GitHub App token
- id: github-mcp-app-token
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
- with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- repositories: ${{ github.event.repository.name }}
- github-api-url: ${{ github.api_url }}
- permission-actions: read
- permission-checks: read
- permission-contents: read
- permission-deployments: read
- permission-discussions: read
- permission-issues: read
- permission-organization-projects: read
- permission-packages: read
- permission-pages: read
- permission-pull-requests: read
- permission-security-events: read
- permission-statuses: read
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine
- name: Write Safe Outputs Config
@@ -339,18 +318,18 @@ jobs:
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
-
+
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
-
+
echo "Safe Outputs MCP server will run on port ${PORT}"
-
+
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
@@ -366,9 +345,9 @@ jobs:
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
-
+
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
+
- name: Start MCP gateway
id: start-mcp-gateway
env:
@@ -376,23 +355,23 @@ jobs:
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
mkdir -p /tmp/gh-aw/mcp-config
-
+
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
export MCP_GATEWAY_API_KEY
-
+
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84'
-
+
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
@@ -428,7 +407,7 @@ jobs:
with:
script: |
const fs = require('fs');
-
+
const awInfo = {
engine_id: "copilot",
engine_name: "GitHub Copilot CLI",
@@ -458,13 +437,13 @@ jobs:
},
created_at: new Date().toISOString()
};
-
+
// Write to /tmp/gh-aw directory to avoid inclusion in PR
const tmpPath = '/tmp/gh-aw/aw_info.json';
fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
console.log('Generated aw_info.json at:', tmpPath);
console.log(JSON.stringify(awInfo, null, 2));
-
+
// Set model as output for reuse in other steps/jobs
core.setOutput('model', awInfo.model);
- name: Generate workflow overview
@@ -501,9 +480,9 @@ jobs:
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
-
+
Discover available tools from the safeoutputs MCP server.
-
+
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@@ -534,23 +513,23 @@ jobs:
- **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
{{/if}}
-
+
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Weekly Research
-
+
## Job Description
-
+
Do a deep research investigation in __GH_AW_GITHUB_REPOSITORY__ repository, and the related industry in general.
-
+
- Read selections of the latest code, issues and PRs for this repo.
- Read latest trends and news from the software industry news source on the Web.
-
+
Create a new GitHub discussion with title starting with "__GH_AW_GITHUB_WORKFLOW__" containing a markdown report with
-
+
- Interesting news about the area related to this software project.
- Related products and competitive analysis
- Related research papers
@@ -558,15 +537,15 @@ jobs:
- Market opportunities
- Business analysis
- Enjoyable anecdotes
-
+
Only a new discussion should be created, no existing discussions should be adjusted.
-
+
At the end of the report list write a collapsed section with the following:
-
+
- All search queries (web, issues, pulls, content) you used
- All bash commands you executed
- All MCP tools you used
-
+
PROMPT_EOF
- name: Substitute placeholders
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -584,7 +563,7 @@ jobs:
with:
script: |
const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
+
// Call the substitution function
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
@@ -650,7 +629,7 @@ jobs:
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
SESSION_STATE_DIR="$HOME/.copilot/session-state"
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
+
if [ -d "$SESSION_STATE_DIR" ]; then
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
mkdir -p "$LOGS_DIR"
@@ -678,8 +657,7 @@ jobs:
const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
await main();
env:
- GH_AW_SECRET_NAMES: "APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN"
- SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
@@ -763,19 +741,6 @@ jobs:
/tmp/gh-aw/sandbox/firewall/logs/
/tmp/gh-aw/agent-stdio.log
if-no-files-found: ignore
- - name: Invalidate GitHub App token
- if: always() && steps.github-mcp-app-token.outputs.token != ''
- env:
- TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}
- run: |
- echo "Revoking GitHub App installation token..."
- # GitHub CLI will auth with the token being revoked.
- gh api \
- --method DELETE \
- -H "Authorization: token $TOKEN" \
- /installation/token || echo "Token revoke may already be expired."
-
- echo "Token invalidation step complete."
conclusion:
needs:
@@ -912,7 +877,7 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
detection:
@@ -1109,7 +1074,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"create_discussion":{"category":"agentic-workflows","expires":168,"max":1,"title_prefix":"${{ github.workflow }}"},"missing_data":{},"missing_tool":{},"noop":{"max":1}}'
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"agentic-workflows\",\"expires\":168,\"max\":1,\"title_prefix\":\"${{ github.workflow }}\"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}"
with:
github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
script: |
@@ -1128,5 +1093,6 @@ jobs:
--method DELETE \
-H "Authorization: token $TOKEN" \
/installation/token || echo "Token revoke may already be expired."
-
+
echo "Token invalidation step complete."
+
diff --git a/.github/workflows/weekly-research.md b/.github/workflows/weekly-research.md
index be0c045b2..7c1df8480 100644
--- a/.github/workflows/weekly-research.md
+++ b/.github/workflows/weekly-research.md
@@ -26,9 +26,6 @@ safe-outputs:
tools:
github:
- app:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
toolsets: [all]
web-fetch: