recompile: regenerate lock files after second main merge #70
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | ||
|
Check failure on line 1 in .github/workflows/smoke-agent-all-merged.lock.yml
|
||
| # ___ _ _ | ||
| # / _ \ | | (_) | ||
| # | |_| | __ _ ___ _ __ | |_ _ ___ | ||
| # | _ |/ _` |/ _ \ '_ \| __| |/ __| | ||
| # | | | | (_| | __/ | | | |_| | (__ | ||
| # \_| |_/\__, |\___|_| |_|\__|_|\___| | ||
| # __/ | | ||
| # _ _ |___/ | ||
| # | | | | / _| | | ||
| # | | | | ___ _ __ _ __| |_| | _____ ____ | ||
| # | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| | ||
| # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ | ||
| # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ | ||
| # | ||
| # This file was automatically generated by gh-aw. DO NOT EDIT. | ||
| # | ||
| # To update this file, edit the corresponding .md file and run: | ||
| # gh aw compile | ||
| # Not all edits will cause changes to this file. | ||
| # | ||
| # For more information: https://github.github.com/gh-aw/introduction/overview/ | ||
| # | ||
| # Guard policy smoke test: repos=all, min-integrity=merged (most restrictive) | ||
| # | ||
| # gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e3acfb90c523ed41aff2574700873d4ff6fca754fce908743a5b8157de83596a","strict":true} | ||
| name: "Smoke Agent: all/merged" | ||
| "on": | ||
| pull_request: | ||
| # names: # Label filtering applied via job conditions | ||
| # - metal # Label filtering applied via job conditions | ||
| types: | ||
| - labeled | ||
| workflow_dispatch: null | ||
| permissions: {} | ||
| concurrency: | ||
| group: "gh-aw-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}" | ||
| cancel-in-progress: true | ||
| run-name: "Smoke Agent: all/merged" | ||
| jobs: | ||
| activation: | ||
| needs: pre_activation | ||
| if: > | ||
| (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && | ||
| ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'metal')))) | ||
| runs-on: ubuntu-slim | ||
| permissions: | ||
| contents: read | ||
| discussions: write | ||
| issues: write | ||
| pull-requests: write | ||
| outputs: | ||
| body: ${{ steps.sanitized.outputs.body }} | ||
| comment_id: ${{ steps.add-comment.outputs.comment-id }} | ||
| comment_repo: ${{ steps.add-comment.outputs.comment-repo }} | ||
| comment_url: ${{ steps.add-comment.outputs.comment-url }} | ||
| model: ${{ steps.generate_aw_info.outputs.model }} | ||
| secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} | ||
| text: ${{ steps.sanitized.outputs.text }} | ||
| title: ${{ steps.sanitized.outputs.title }} | ||
| steps: | ||
| - name: Checkout actions folder | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| repository: github/gh-aw | ||
| sparse-checkout: | | ||
| actions | ||
| persist-credentials: false | ||
| - name: Setup Scripts | ||
| uses: ./actions/setup | ||
| with: | ||
| destination: ${{ env.GH_AW_HOME }}/actions | ||
| - name: Generate agentic run info | ||
| id: generate_aw_info | ||
| env: | ||
| GH_AW_INFO_ENGINE_ID: "codex" | ||
| GH_AW_INFO_ENGINE_NAME: "Codex" | ||
| GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CODEX || '' }} | ||
| GH_AW_INFO_VERSION: "" | ||
| GH_AW_INFO_AGENT_VERSION: "latest" | ||
| GH_AW_INFO_WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| GH_AW_INFO_EXPERIMENTAL: "false" | ||
| GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" | ||
| GH_AW_INFO_STAGED: "false" | ||
| GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' | ||
| GH_AW_INFO_FIREWALL_ENABLED: "true" | ||
| GH_AW_INFO_AWF_VERSION: "v0.24.2" | ||
| GH_AW_INFO_AWMG_VERSION: "" | ||
| GH_AW_INFO_FIREWALL_TYPE: "squid" | ||
| GH_AW_COMPILED_STRICT: "true" | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| with: | ||
| script: | | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); | ||
| await main(core, context); | ||
| - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret | ||
| id: validate-secret | ||
| run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex | ||
| env: | ||
| CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} | ||
| OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} | ||
| - name: Checkout .github and .agents folders | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false | ||
| sparse-checkout: | | ||
| .github | ||
| .agents | ||
| sparse-checkout-cone-mode: true | ||
| fetch-depth: 1 | ||
| - name: Check workflow file timestamps | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_WORKFLOW_FILE: "smoke-agent-all-merged.lock.yml" | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); | ||
| await main(); | ||
| - name: Compute current body text | ||
| id: sanitized | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); | ||
| await main(); | ||
| - name: Add comment with workflow run link | ||
| id: add-comment | ||
| if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e π€ *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"π [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=merged`...\",\"runSuccess\":\"β [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"β [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); | ||
| await main(); | ||
| - name: Create prompt with built-in context | ||
| env: | ||
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | ||
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | ||
| GH_AW_GITHUB_ACTOR: ${{ github.actor }} | ||
| GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} | ||
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} | ||
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} | ||
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | ||
| GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} | ||
| GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} | ||
| GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} | ||
| run: | | ||
| bash ${GH_AW_HOME}/actions/create_prompt_first.sh | ||
| { | ||
| cat << 'GH_AW_PROMPT_EOF' | ||
| <system> | ||
| GH_AW_PROMPT_EOF | ||
| cat "${GH_AW_HOME}/prompts/xpia.md" | ||
| cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" | ||
| cat "${GH_AW_HOME}/prompts/markdown.md" | ||
| cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" | ||
| cat << 'GH_AW_PROMPT_EOF' | ||
| <safe-output-tools> | ||
| Tools: add_comment, missing_tool, missing_data, noop | ||
| </safe-output-tools> | ||
| <github-context> | ||
| The following GitHub context information is available for this workflow: | ||
| {{#if __GH_AW_GITHUB_ACTOR__ }} | ||
| - **actor**: __GH_AW_GITHUB_ACTOR__ | ||
| {{/if}} | ||
| {{#if __GH_AW_GITHUB_REPOSITORY__ }} | ||
| - **repository**: __GH_AW_GITHUB_REPOSITORY__ | ||
| {{/if}} | ||
| {{#if __GH_AW_GITHUB_WORKSPACE__ }} | ||
| - **workspace**: __GH_AW_GITHUB_WORKSPACE__ | ||
| {{/if}} | ||
| {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} | ||
| - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ | ||
| {{/if}} | ||
| {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} | ||
| - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ | ||
| {{/if}} | ||
| {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} | ||
| - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ | ||
| {{/if}} | ||
| {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} | ||
| - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ | ||
| {{/if}} | ||
| {{#if __GH_AW_GITHUB_RUN_ID__ }} | ||
| - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ | ||
| {{/if}} | ||
| </github-context> | ||
| GH_AW_PROMPT_EOF | ||
| cat "${GH_AW_HOME}/prompts/github_mcp_tools_with_safeoutputs_prompt.md" | ||
| cat << 'GH_AW_PROMPT_EOF' | ||
| </system> | ||
| GH_AW_PROMPT_EOF | ||
| cat << 'GH_AW_PROMPT_EOF' | ||
| {{#runtime-import .github/workflows/smoke-agent-all-merged.md}} | ||
| GH_AW_PROMPT_EOF | ||
| } > "$GH_AW_PROMPT" | ||
| - name: Interpolate variables and render templates | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | ||
| GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); | ||
| await main(); | ||
| - name: Substitute placeholders | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | ||
| GH_AW_GITHUB_ACTOR: ${{ github.actor }} | ||
| GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} | ||
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} | ||
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} | ||
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | ||
| GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} | ||
| GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} | ||
| GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} | ||
| GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); | ||
| // Call the substitution function | ||
| return await substitutePlaceholders({ | ||
| file: process.env.GH_AW_PROMPT, | ||
| substitutions: { | ||
| GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, | ||
| GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, | ||
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, | ||
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, | ||
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, | ||
| GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, | ||
| GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, | ||
| GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE, | ||
| GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED | ||
| } | ||
| }); | ||
| - name: Validate prompt placeholders | ||
| env: | ||
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | ||
| run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh | ||
| - name: Print prompt | ||
| env: | ||
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | ||
| run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh | ||
| - name: Upload activation artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | ||
| with: | ||
| name: activation | ||
| path: | | ||
| /tmp/gh-aw/aw_info.json | ||
| /tmp/gh-aw/aw-prompts/prompt.txt | ||
| retention-days: 1 | ||
| agent: | ||
| needs: activation | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| issues: read | ||
| pull-requests: read | ||
| env: | ||
| DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | ||
| GH_AW_ASSETS_ALLOWED_EXTS: "" | ||
| GH_AW_ASSETS_BRANCH: "" | ||
| GH_AW_ASSETS_MAX_SIZE_KB: 0 | ||
| GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} | ||
| GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs | ||
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json | ||
| GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json | ||
| GH_AW_WORKFLOW_ID_SANITIZED: smokeagentallmerged | ||
| outputs: | ||
| checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} | ||
| detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} | ||
| detection_success: ${{ steps.detection_conclusion.outputs.success }} | ||
| has_patch: ${{ steps.collect_output.outputs.has_patch }} | ||
| model: ${{ needs.activation.outputs.model }} | ||
| output: ${{ steps.collect_output.outputs.output }} | ||
| output_types: ${{ steps.collect_output.outputs.output_types }} | ||
| steps: | ||
| - name: Checkout actions folder | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| repository: github/gh-aw | ||
| sparse-checkout: | | ||
| actions | ||
| persist-credentials: false | ||
| - name: Setup Scripts | ||
| uses: ./actions/setup | ||
| with: | ||
| destination: ${{ env.GH_AW_HOME }}/actions | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Create gh-aw temp directory | ||
| run: | | ||
| bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh | ||
| echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" | ||
| echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" | ||
| echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" | ||
| - name: Configure Git credentials | ||
| env: | ||
| REPO_NAME: ${{ github.repository }} | ||
| SERVER_URL: ${{ github.server_url }} | ||
| run: | | ||
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | ||
| git config --global user.name "github-actions[bot]" | ||
| git config --global am.keepcr true | ||
| # Re-authenticate git with GitHub token | ||
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | ||
| git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | ||
| echo "Git configured with standard GitHub Actions identity" | ||
| - name: Checkout PR branch | ||
| id: checkout-pr | ||
| if: | | ||
| (github.event.pull_request) || (github.event.issue.pull_request) | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); | ||
| await main(); | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | ||
| with: | ||
| node-version: '24' | ||
| package-manager-cache: false | ||
| - name: Install Codex | ||
| run: npm install -g @openai/codex@latest | ||
| - name: Install AWF binary | ||
| run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.2 | ||
| - name: Download container images | ||
| run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine | ||
| - name: Write Safe Outputs Config | ||
| run: | | ||
| mkdir -p ${GH_AW_HOME}/safeoutputs | ||
| mkdir -p /tmp/gh-aw/safeoutputs | ||
| mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs | ||
| cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' | ||
| {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_EOF | ||
| - name: Write Safe Outputs Tools | ||
| run: | | ||
| cat > ${GH_AW_HOME}/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' | ||
| { | ||
| "description_suffixes": { | ||
| "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added." | ||
| }, | ||
| "repo_params": {}, | ||
| "dynamic_tools": [] | ||
| } | ||
| GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF | ||
| cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' | ||
| { | ||
| "add_comment": { | ||
| "defaultMax": 1, | ||
| "fields": { | ||
| "body": { | ||
| "required": true, | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 65000 | ||
| }, | ||
| "item_number": { | ||
| "issueOrPRNumber": true | ||
| }, | ||
| "repo": { | ||
| "type": "string", | ||
| "maxLength": 256 | ||
| } | ||
| } | ||
| }, | ||
| "missing_data": { | ||
| "defaultMax": 20, | ||
| "fields": { | ||
| "alternatives": { | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 256 | ||
| }, | ||
| "context": { | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 256 | ||
| }, | ||
| "data_type": { | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 128 | ||
| }, | ||
| "reason": { | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 256 | ||
| } | ||
| } | ||
| }, | ||
| "missing_tool": { | ||
| "defaultMax": 20, | ||
| "fields": { | ||
| "alternatives": { | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 512 | ||
| }, | ||
| "reason": { | ||
| "required": true, | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 256 | ||
| }, | ||
| "tool": { | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 128 | ||
| } | ||
| } | ||
| }, | ||
| "noop": { | ||
| "defaultMax": 1, | ||
| "fields": { | ||
| "message": { | ||
| "required": true, | ||
| "type": "string", | ||
| "sanitize": true, | ||
| "maxLength": 65000 | ||
| } | ||
| } | ||
| } | ||
| } | ||
| GH_AW_SAFE_OUTPUTS_VALIDATION_EOF | ||
| node ${GH_AW_HOME}/actions/generate_safe_outputs_tools.cjs | ||
| - name: Generate Safe Outputs MCP Server Config | ||
| id: safe-outputs-config | ||
| run: | | ||
| # Generate a secure random API key (360 bits of entropy, 40+ chars) | ||
| # Mask immediately to prevent timing vulnerabilities | ||
| API_KEY=$(openssl rand -base64 45 | tr -d '/+=') | ||
| echo "::add-mask::${API_KEY}" | ||
| PORT=3001 | ||
| # Set outputs for next steps | ||
| { | ||
| echo "safe_outputs_api_key=${API_KEY}" | ||
| echo "safe_outputs_port=${PORT}" | ||
| } >> "$GITHUB_OUTPUT" | ||
| echo "Safe Outputs MCP server will run on port ${PORT}" | ||
| - name: Start Safe Outputs MCP HTTP Server | ||
| id: safe-outputs-start | ||
| env: | ||
| DEBUG: '*' | ||
| GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} | ||
| GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} | ||
| GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json | ||
| GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs | ||
| run: | | ||
| # Environment variables are set above to prevent template injection | ||
| export DEBUG | ||
| export GH_AW_SAFE_OUTPUTS_PORT | ||
| export GH_AW_SAFE_OUTPUTS_API_KEY | ||
| export GH_AW_SAFE_OUTPUTS_TOOLS_PATH | ||
| export GH_AW_SAFE_OUTPUTS_CONFIG_PATH | ||
| export GH_AW_MCP_LOG_DIR | ||
| bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh | ||
| - name: Start MCP Gateway | ||
| id: start-mcp-gateway | ||
| env: | ||
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | ||
| GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} | ||
| GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} | ||
| GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| set -eo pipefail | ||
| mkdir -p /tmp/gh-aw/mcp-config | ||
| # Export gateway environment variables for MCP config and gateway script | ||
| export MCP_GATEWAY_PORT="80" | ||
| export MCP_GATEWAY_DOMAIN="host.docker.internal" | ||
| MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') | ||
| echo "::add-mask::${MCP_GATEWAY_API_KEY}" | ||
| export MCP_GATEWAY_API_KEY | ||
| export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" | ||
| mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" | ||
| export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288" | ||
| export DEBUG="*" | ||
| export GH_AW_ENGINE="codex" | ||
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' | ||
| cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF | ||
| [history] | ||
| persistence = "none" | ||
| [shell_environment_policy] | ||
| inherit = "core" | ||
| include_only = ["CODEX_API_KEY", "GH_AW_ASSETS_ALLOWED_EXTS", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_SAFE_OUTPUTS", "GITHUB_PERSONAL_ACCESS_TOKEN", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "HOME", "OPENAI_API_KEY", "PATH"] | ||
| [mcp_servers.github] | ||
| user_agent = "smoke-agent-all-merged" | ||
| startup_timeout_sec = 120 | ||
| tool_timeout_sec = 60 | ||
| container = "ghcr.io/github/github-mcp-server:v0.32.0" | ||
| env = { "GITHUB_HOST" = "$GITHUB_SERVER_URL", "GITHUB_PERSONAL_ACCESS_TOKEN" = "$GH_AW_GITHUB_TOKEN", "GITHUB_READ_ONLY" = "1", "GITHUB_TOOLSETS" = "context,repos,issues,pull_requests" } | ||
| env_vars = ["GITHUB_HOST", "GITHUB_PERSONAL_ACCESS_TOKEN", "GITHUB_READ_ONLY", "GITHUB_TOOLSETS"] | ||
| [mcp_servers.safeoutputs] | ||
| type = "http" | ||
| url = "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT" | ||
| [mcp_servers.safeoutputs.headers] | ||
| Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" | ||
| [mcp_servers.safeoutputs."guard-policies"] | ||
| [mcp_servers.safeoutputs."guard-policies".write-sink] | ||
| accept = ["*"] | ||
| GH_AW_MCP_CONFIG_EOF | ||
| # Generate JSON config for MCP gateway | ||
| cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh | ||
| { | ||
| "mcpServers": { | ||
| "github": { | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "env": { | ||
| "GITHUB_HOST": "$GITHUB_SERVER_URL", | ||
| "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN", | ||
| "GITHUB_READ_ONLY": "1", | ||
| "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" | ||
| }, | ||
| "guard-policies": { | ||
| "allow-only": { | ||
| "min-integrity": "merged", | ||
| "repos": "all" | ||
| } | ||
| } | ||
| }, | ||
| "safeoutputs": { | ||
| "type": "http", | ||
| "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", | ||
| "headers": { | ||
| "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" | ||
| }, | ||
| "guard-policies": { | ||
| "write-sink": { | ||
| "accept": [ | ||
| "*" | ||
| ] | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "gateway": { | ||
| "port": $MCP_GATEWAY_PORT, | ||
| "domain": "${MCP_GATEWAY_DOMAIN}", | ||
| "apiKey": "${MCP_GATEWAY_API_KEY}", | ||
| "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" | ||
| } | ||
| } | ||
| GH_AW_MCP_CONFIG_EOF | ||
| - name: Download activation artifact | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: activation | ||
| path: /tmp/gh-aw | ||
| - name: Clean git credentials | ||
| continue-on-error: true | ||
| run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh | ||
| - name: Execute Codex | ||
| run: | | ||
| set -o pipefail | ||
| mkdir -p "$CODEX_HOME/logs" && touch /tmp/gh-aw/agent-step-summary.md | ||
| # shellcheck disable=SC1003 | ||
| sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,172.30.0.1,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.2 --skip-pull --enable-api-proxy \ | ||
| -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec -c web_search="disabled" --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log | ||
| env: | ||
| CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} | ||
| CODEX_HOME: /tmp/gh-aw/mcp-config | ||
| GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/config.toml | ||
| GH_AW_MODEL_AGENT_CODEX: ${{ vars.GH_AW_MODEL_AGENT_CODEX || '' }} | ||
| GH_AW_PHASE: agent | ||
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | ||
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | ||
| GH_AW_VERSION: dev | ||
| GITHUB_AW: true | ||
| GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md | ||
| GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com | ||
| GIT_AUTHOR_NAME: github-actions[bot] | ||
| GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com | ||
| GIT_COMMITTER_NAME: github-actions[bot] | ||
| OPENAI_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} | ||
| RUST_LOG: trace,hyper_util=info,mio=info,reqwest=info,os_info=info,codex_otel=warn,codex_core=debug,ocodex_exec=debug | ||
| - name: Configure Git credentials | ||
| env: | ||
| REPO_NAME: ${{ github.repository }} | ||
| SERVER_URL: ${{ github.server_url }} | ||
| run: | | ||
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | ||
| git config --global user.name "github-actions[bot]" | ||
| git config --global am.keepcr true | ||
| # Re-authenticate git with GitHub token | ||
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | ||
| git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | ||
| echo "Git configured with standard GitHub Actions identity" | ||
| - name: Stop MCP Gateway | ||
| if: always() | ||
| continue-on-error: true | ||
| env: | ||
| MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} | ||
| MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} | ||
| GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} | ||
| run: | | ||
| bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" | ||
| - name: Redact secrets in logs | ||
| if: always() | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); | ||
| await main(); | ||
| env: | ||
| GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' | ||
| SECRET_CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} | ||
| SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} | ||
| SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} | ||
| SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} | ||
| - name: Append agent step summary | ||
| if: always() | ||
| run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh | ||
| - name: Copy Safe Outputs | ||
| if: always() | ||
| run: | | ||
| mkdir -p /tmp/gh-aw | ||
| cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null || true | ||
| - name: Ingest agent output | ||
| id: collect_output | ||
| if: always() | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | ||
| GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,127.0.0.1,172.30.0.1,::1,api.openai.com,api.snapcraft.io,app.renovatebot.com,appveyor.com,archive.ubuntu.com,azure.archive.ubuntu.com,badgen.net,circleci.com,codacy.com,codeclimate.com,codecov.io,codeload.github.com,coveralls.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deepsource.io,docs.github.com,drone.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,img.shields.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,localhost,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,readthedocs.io,readthedocs.org,renovatebot.com,s.symcb.com,s.symcd.com,security.ubuntu.com,semaphoreci.com,shields.io,snyk.io,sonarcloud.io,sonarqube.com,travis-ci.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" | ||
| GITHUB_SERVER_URL: ${{ github.server_url }} | ||
| GITHUB_API_URL: ${{ github.api_url }} | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); | ||
| await main(); | ||
| - name: Parse agent logs for step summary | ||
| if: always() | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); | ||
| await main(); | ||
| - name: Parse MCP Gateway logs for step summary | ||
| if: always() | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); | ||
| await main(); | ||
| - name: Print firewall logs | ||
| if: always() | ||
| continue-on-error: true | ||
| env: | ||
| AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs | ||
| run: | | ||
| # Fix permissions on firewall logs so they can be uploaded as artifacts | ||
| # AWF runs with sudo, creating files owned by root | ||
| sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true | ||
| # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) | ||
| if command -v awf &> /dev/null; then | ||
| awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" | ||
| else | ||
| echo 'AWF binary not installed, skipping firewall log summary' | ||
| fi | ||
| - name: Upload agent artifacts | ||
| if: always() | ||
| continue-on-error: true | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | ||
| with: | ||
| name: agent | ||
| path: | | ||
| /tmp/gh-aw/aw-prompts/prompt.txt | ||
| /tmp/gh-aw/mcp-config/logs/ | ||
| /tmp/gh-aw/redacted-urls.log | ||
| /tmp/gh-aw/mcp-logs/ | ||
| /tmp/gh-aw/sandbox/firewall/logs/ | ||
| /tmp/gh-aw/agent-stdio.log | ||
| /tmp/gh-aw/agent/ | ||
| /tmp/gh-aw/safeoutputs.jsonl | ||
| /tmp/gh-aw/agent_output.json | ||
| if-no-files-found: ignore | ||
| # --- Threat Detection (inline) --- | ||
| - name: Check if detection needed | ||
| id: detection_guard | ||
| if: always() | ||
| env: | ||
| OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }} | ||
| HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} | ||
| run: | | ||
| if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then | ||
| echo "run_detection=true" >> "$GITHUB_OUTPUT" | ||
| echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH" | ||
| else | ||
| echo "run_detection=false" >> "$GITHUB_OUTPUT" | ||
| echo "Detection skipped: no agent outputs or patches to analyze" | ||
| fi | ||
| - name: Clear MCP configuration for detection | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| run: | | ||
| rm -f /tmp/gh-aw/mcp-config/mcp-servers.json | ||
| rm -f /home/runner/.copilot/mcp-config.json | ||
| rm -f "$GITHUB_WORKSPACE/.gemini/settings.json" | ||
| - name: Prepare threat detection files | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| run: | | ||
| mkdir -p /tmp/gh-aw/threat-detection/aw-prompts | ||
| cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true | ||
| cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true | ||
| for f in /tmp/gh-aw/aw-*.patch; do | ||
| [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true | ||
| done | ||
| echo "Prepared threat detection files:" | ||
| ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true | ||
| - name: Setup threat detection | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| WORKFLOW_DESCRIPTION: "Guard policy smoke test: repos=all, min-integrity=merged (most restrictive)" | ||
| HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); | ||
| await main(); | ||
| - name: Ensure threat-detection directory and log | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| run: | | ||
| mkdir -p /tmp/gh-aw/threat-detection | ||
| touch /tmp/gh-aw/threat-detection/detection.log | ||
| - name: Execute Codex | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| run: | | ||
| set -o pipefail | ||
| mkdir -p "$CODEX_HOME/logs" && touch /tmp/gh-aw/agent-step-summary.md | ||
| # shellcheck disable=SC1003 | ||
| sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "172.30.0.1,api.openai.com,host.docker.internal,openai.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.2 --skip-pull --enable-api-proxy \ | ||
| -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" && codex ${GH_AW_MODEL_DETECTION_CODEX:+-c model="$GH_AW_MODEL_DETECTION_CODEX" }exec -c web_search="disabled" --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log | ||
| env: | ||
| CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} | ||
| CODEX_HOME: /tmp/gh-aw/mcp-config | ||
| GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/config.toml | ||
| GH_AW_MODEL_DETECTION_CODEX: ${{ vars.GH_AW_MODEL_DETECTION_CODEX || '' }} | ||
| GH_AW_PHASE: detection | ||
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | ||
| GH_AW_VERSION: dev | ||
| GITHUB_AW: true | ||
| GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md | ||
| GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com | ||
| GIT_AUTHOR_NAME: github-actions[bot] | ||
| GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com | ||
| GIT_COMMITTER_NAME: github-actions[bot] | ||
| OPENAI_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} | ||
| RUST_LOG: trace,hyper_util=info,mio=info,reqwest=info,os_info=info,codex_otel=warn,codex_core=debug,ocodex_exec=debug | ||
| - name: Parse threat detection results | ||
| id: parse_detection_results | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| with: | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); | ||
| await main(); | ||
| - name: Upload threat detection log | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | ||
| with: | ||
| name: detection | ||
| path: /tmp/gh-aw/threat-detection/detection.log | ||
| if-no-files-found: ignore | ||
| - name: Set detection conclusion | ||
| id: detection_conclusion | ||
| if: always() | ||
| env: | ||
| RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }} | ||
| DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }} | ||
| run: | | ||
| if [[ "$RUN_DETECTION" != "true" ]]; then | ||
| echo "conclusion=skipped" >> "$GITHUB_OUTPUT" | ||
| echo "success=true" >> "$GITHUB_OUTPUT" | ||
| echo "Detection was not needed, marking as skipped" | ||
| elif [[ "$DETECTION_SUCCESS" == "true" ]]; then | ||
| echo "conclusion=success" >> "$GITHUB_OUTPUT" | ||
| echo "success=true" >> "$GITHUB_OUTPUT" | ||
| echo "Detection passed successfully" | ||
| else | ||
| echo "conclusion=failure" >> "$GITHUB_OUTPUT" | ||
| echo "success=false" >> "$GITHUB_OUTPUT" | ||
| echo "Detection found issues" | ||
| fi | ||
| conclusion: | ||
| needs: | ||
| - activation | ||
| - agent | ||
| - safe_outputs | ||
| if: (always()) && (needs.agent.result != 'skipped') | ||
| runs-on: ubuntu-slim | ||
| permissions: | ||
| contents: read | ||
| discussions: write | ||
| issues: write | ||
| pull-requests: write | ||
| concurrency: | ||
| group: "gh-aw-conclusion-smoke-agent-all-merged" | ||
| cancel-in-progress: false | ||
| env: | ||
| GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} | ||
| outputs: | ||
| noop_message: ${{ steps.noop.outputs.noop_message }} | ||
| tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} | ||
| total_count: ${{ steps.missing_tool.outputs.total_count }} | ||
| steps: | ||
| - name: Checkout actions folder | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| repository: github/gh-aw | ||
| sparse-checkout: | | ||
| actions | ||
| persist-credentials: false | ||
| - name: Setup Scripts | ||
| uses: ./actions/setup | ||
| with: | ||
| destination: ${{ env.GH_AW_HOME }}/actions | ||
| - name: Download agent output artifact | ||
| id: download-agent-output | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: agent | ||
| path: /tmp/gh-aw/ | ||
| - name: Setup agent output environment variable | ||
| if: steps.download-agent-output.outcome == 'success' | ||
| run: | | ||
| mkdir -p /tmp/gh-aw/ | ||
| find "/tmp/gh-aw/" -type f -print | ||
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" | ||
| - name: Process No-Op Messages | ||
| id: noop | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_NOOP_MAX: "1" | ||
| GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); | ||
| await main(); | ||
| - name: Record Missing Tool | ||
| id: missing_tool | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); | ||
| await main(); | ||
| - name: Handle Agent Failure | ||
| id: handle_agent_failure | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | ||
| GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} | ||
| GH_AW_WORKFLOW_ID: "smoke-agent-all-merged" | ||
| GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} | ||
| GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} | ||
| GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e π€ *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"π [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=merged`...\",\"runSuccess\":\"β [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"β [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" | ||
| GH_AW_GROUP_REPORTS: "false" | ||
| GH_AW_FAILURE_REPORT_AS_ISSUE: "true" | ||
| GH_AW_TIMEOUT_MINUTES: "10" | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); | ||
| await main(); | ||
| - name: Handle No-Op Message | ||
| id: handle_noop_message | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | ||
| GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} | ||
| GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} | ||
| GH_AW_NOOP_REPORT_AS_ISSUE: "true" | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); | ||
| await main(); | ||
| - name: Update reaction comment with completion status | ||
| id: conclusion | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }} | ||
| GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} | ||
| GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | ||
| GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} | ||
| GH_AW_DETECTION_CONCLUSION: ${{ needs.agent.outputs.detection_conclusion }} | ||
| GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e π€ *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"π [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=merged`...\",\"runSuccess\":\"β [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"β [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); | ||
| await main(); | ||
| pre_activation: | ||
| if: > | ||
| ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && | ||
| ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'metal'))) | ||
| runs-on: ubuntu-slim | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} | ||
| matched_command: '' | ||
| steps: | ||
| - name: Checkout actions folder | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| repository: github/gh-aw | ||
| sparse-checkout: | | ||
| actions | ||
| persist-credentials: false | ||
| - name: Setup Scripts | ||
| uses: ./actions/setup | ||
| with: | ||
| destination: ${{ env.GH_AW_HOME }}/actions | ||
| - name: Check team membership for workflow | ||
| id: check_membership | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_REQUIRED_ROLES: admin,maintainer,write | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); | ||
| await main(); | ||
| safe_outputs: | ||
| needs: agent | ||
| if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true') | ||
| runs-on: ubuntu-slim | ||
| permissions: | ||
| contents: read | ||
| discussions: write | ||
| issues: write | ||
| pull-requests: write | ||
| timeout-minutes: 15 | ||
| env: | ||
| GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-all-merged" | ||
| GH_AW_ENGINE_ID: "codex" | ||
| GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} | ||
| GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e π€ *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"π [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=merged`...\",\"runSuccess\":\"β [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"β [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" | ||
| GH_AW_WORKFLOW_ID: "smoke-agent-all-merged" | ||
| GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" | ||
| outputs: | ||
| code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }} | ||
| code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }} | ||
| comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }} | ||
| comment_url: ${{ steps.process_safe_outputs.outputs.comment_url }} | ||
| create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} | ||
| create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} | ||
| process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} | ||
| process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} | ||
| steps: | ||
| - name: Checkout actions folder | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| repository: github/gh-aw | ||
| sparse-checkout: | | ||
| actions | ||
| persist-credentials: false | ||
| - name: Setup Scripts | ||
| uses: ./actions/setup | ||
| with: | ||
| destination: ${{ env.GH_AW_HOME }}/actions | ||
| - name: Download agent output artifact | ||
| id: download-agent-output | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: agent | ||
| path: /tmp/gh-aw/ | ||
| - name: Setup agent output environment variable | ||
| if: steps.download-agent-output.outcome == 'success' | ||
| run: | | ||
| mkdir -p /tmp/gh-aw/ | ||
| find "/tmp/gh-aw/" -type f -print | ||
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" | ||
| - name: Process Safe Outputs | ||
| id: process_safe_outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,127.0.0.1,172.30.0.1,::1,api.openai.com,api.snapcraft.io,app.renovatebot.com,appveyor.com,archive.ubuntu.com,azure.archive.ubuntu.com,badgen.net,circleci.com,codacy.com,codeclimate.com,codecov.io,codeload.github.com,coveralls.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deepsource.io,docs.github.com,drone.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,img.shields.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,localhost,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,readthedocs.io,readthedocs.org,renovatebot.com,s.symcb.com,s.symcd.com,security.ubuntu.com,semaphoreci.com,shields.io,snyk.io,sonarcloud.io,sonarqube.com,travis-ci.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" | ||
| GITHUB_SERVER_URL: ${{ github.server_url }} | ||
| GITHUB_API_URL: ${{ github.api_url }} | ||
| GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":2},\"missing_data\":{},\"missing_tool\":{}}" | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io); | ||
| const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); | ||
| await main(); | ||
| - name: Upload Safe Output Items Manifest | ||
| if: always() | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | ||
| with: | ||
| name: safe-output-items | ||
| path: /tmp/safe-output-items.jsonl | ||
| if-no-files-found: warn | ||
