Upgrade gh-aw to v0.39.0 and recompile workflows #1417
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # ___ _ _ | |
| # / _ \ | | (_) | |
| # | |_| | __ _ ___ _ __ | |_ _ ___ | |
| # | _ |/ _` |/ _ \ '_ \| __| |/ __| | |
| # | | | | (_| | __/ | | | |_| | (__ | |
| # \_| |_/\__, |\___|_| |_|\__|_|\___| | |
| # __/ | | |
| # _ _ |___/ | |
| # | | | | / _| | | |
| # | | | | ___ _ __ _ __| |_| | _____ ____ | |
| # | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| | |
| # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ | |
| # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ | |
| # | |
| # This file was automatically generated by gh-aw (v0.39.0). DO NOT EDIT. | |
| # | |
| # To update this file, edit githubnext/agentics/workflows/pr-fix.md@1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32 and run: | |
| # gh aw compile | |
| # For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md | |
| # | |
| # This workflow makes fixes to pull requests on-demand by the '/pr-fix' command. | |
| # Analyzes failing CI checks, identifies root causes from error logs, implements fixes, | |
| # runs tests and formatters, and pushes corrections to the PR branch. Provides detailed | |
| # comments explaining changes made. Helps rapidly resolve PR blockers and keep | |
| # development flowing. | |
| # | |
| # Source: githubnext/agentics/workflows/pr-fix.md@1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32 | |
| # | |
| # frontmatter-hash: 6c8243bec74ce958a8009c49ea6412852b204555bede186eaba107cb95bc5ec5 | |
| name: "PR Fix" | |
| "on": | |
| discussion: | |
| types: | |
| - created | |
| - edited | |
| discussion_comment: | |
| types: | |
| - created | |
| - edited | |
| issue_comment: | |
| types: | |
| - created | |
| - edited | |
| issues: | |
| types: | |
| - opened | |
| - edited | |
| - reopened | |
| pull_request: | |
| types: | |
| - opened | |
| - edited | |
| - reopened | |
| pull_request_review_comment: | |
| types: | |
| - created | |
| - edited | |
| permissions: {} | |
| concurrency: | |
| group: "gh-aw-${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}" | |
| run-name: "PR Fix" | |
| jobs: | |
| activation: | |
| needs: pre_activation | |
| if: > | |
| (needs.pre_activation.outputs.activated == 'true') && ((github.event_name == 'issues') && (contains(github.event.issue.body, '/pr-fix')) || | |
| (github.event_name == 'issue_comment') && ((contains(github.event.comment.body, '/pr-fix')) && (github.event.issue.pull_request == null)) || | |
| (github.event_name == 'issue_comment') && ((contains(github.event.comment.body, '/pr-fix')) && (github.event.issue.pull_request != null)) || | |
| (github.event_name == 'pull_request_review_comment') && (contains(github.event.comment.body, '/pr-fix')) || | |
| (github.event_name == 'pull_request') && (contains(github.event.pull_request.body, '/pr-fix')) || | |
| (github.event_name == 'discussion') && | |
| (contains(github.event.discussion.body, '/pr-fix')) || (github.event_name == 'discussion_comment') && | |
| (contains(github.event.comment.body, '/pr-fix'))) | |
| runs-on: ubuntu-slim | |
| permissions: | |
| contents: read | |
| discussions: write | |
| issues: write | |
| pull-requests: write | |
| outputs: | |
| comment_id: ${{ steps.add-comment.outputs.comment-id }} | |
| comment_repo: ${{ steps.add-comment.outputs.comment-repo }} | |
| comment_url: ${{ steps.add-comment.outputs.comment-url }} | |
| slash_command: ${{ needs.pre_activation.outputs.matched_command }} | |
| text: ${{ steps.compute-text.outputs.text }} | |
| steps: | |
| - name: Setup Scripts | |
| uses: githubnext/gh-aw/actions/setup@10f1341b529f9a8b51c463e191b7dd63d4caccfd # v0.39.0 | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Check workflow file timestamps | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_WORKFLOW_FILE: "pr-fix.lock.yml" | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); | |
| await main(); | |
| - name: Compute current body text | |
| id: compute-text | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); | |
| await main(); | |
| - name: Add comment with workflow run link | |
| id: add-comment | |
| if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_WORKFLOW_NAME: "PR Fix" | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); | |
| await main(); | |
| agent: | |
| needs: activation | |
| runs-on: ubuntu-latest | |
| permissions: read-all | |
| env: | |
| DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GH_AW_ASSETS_ALLOWED_EXTS: "" | |
| GH_AW_ASSETS_BRANCH: "" | |
| GH_AW_ASSETS_MAX_SIZE_KB: 0 | |
| GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs | |
| GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl | |
| GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json | |
| GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json | |
| outputs: | |
| has_patch: ${{ steps.collect_output.outputs.has_patch }} | |
| model: ${{ steps.generate_aw_info.outputs.model }} | |
| output: ${{ steps.collect_output.outputs.output }} | |
| output_types: ${{ steps.collect_output.outputs.output_types }} | |
| secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} | |
| steps: | |
| - name: Setup Scripts | |
| uses: githubnext/gh-aw/actions/setup@10f1341b529f9a8b51c463e191b7dd63d4caccfd # v0.39.0 | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Create gh-aw temp directory | |
| run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh | |
| - name: Configure Git credentials | |
| env: | |
| REPO_NAME: ${{ github.repository }} | |
| SERVER_URL: ${{ github.server_url }} | |
| run: | | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| # Re-authenticate git with GitHub token | |
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | |
| git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | |
| echo "Git configured with standard GitHub Actions identity" | |
| - name: Checkout PR branch | |
| if: | | |
| github.event.pull_request | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| with: | |
| github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); | |
| await main(); | |
| - name: Validate COPILOT_GITHUB_TOKEN secret | |
| id: validate-secret | |
| run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default | |
| env: | |
| COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} | |
| - name: Install GitHub Copilot CLI | |
| run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.400 | |
| - name: Install awf binary | |
| run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 | |
| - name: Determine automatic lockdown mode for GitHub MCP server | |
| id: determine-automatic-lockdown | |
| env: | |
| TOKEN_CHECK: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} | |
| if: env.TOKEN_CHECK != '' | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); | |
| await determineAutomaticLockdown(github, context, core); | |
| - name: Download container images | |
| run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.86 node:lts-alpine | |
| - name: Write Safe Outputs Config | |
| run: | | |
| mkdir -p /opt/gh-aw/safeoutputs | |
| mkdir -p /tmp/gh-aw/safeoutputs | |
| mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs | |
| cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' | |
| {"add_comment":{"max":1},"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0}} | |
| EOF | |
| cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' | |
| [ | |
| { | |
| "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ github.workflow }}\".", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "body": { | |
| "description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.", | |
| "type": "string" | |
| }, | |
| "labels": { | |
| "description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.", | |
| "items": { | |
| "type": "string" | |
| }, | |
| "type": "array" | |
| }, | |
| "parent": { | |
| "description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123def456') from a previously created issue in the same workflow run.", | |
| "type": [ | |
| "number", | |
| "string" | |
| ] | |
| }, | |
| "temporary_id": { | |
| "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 12 hex characters (e.g., 'aw_abc123def456'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.", | |
| "type": "string" | |
| }, | |
| "title": { | |
| "description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.", | |
| "type": "string" | |
| } | |
| }, | |
| "required": [ | |
| "title", | |
| "body" | |
| ], | |
| "type": "object" | |
| }, | |
| "name": "create_issue" | |
| }, | |
| { | |
| "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "body": { | |
| "description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation.", | |
| "type": "string" | |
| }, | |
| "item_number": { | |
| "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). If omitted, the tool will attempt to resolve the target from the current workflow context (triggering issue, PR, or discussion).", | |
| "type": "number" | |
| } | |
| }, | |
| "required": [ | |
| "body" | |
| ], | |
| "type": "object" | |
| }, | |
| "name": "add_comment" | |
| }, | |
| { | |
| "description": "Push committed changes to a pull request's branch. Use this to add follow-up commits to an existing PR, such as addressing review feedback or fixing issues. Changes must be committed locally before calling this tool.", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "branch": { | |
| "description": "Branch name to push changes from. If omitted, uses the current working branch. Only specify if you need to push from a different branch.", | |
| "type": "string" | |
| }, | |
| "message": { | |
| "description": "Commit message describing the changes. Follow repository commit message conventions (e.g., conventional commits).", | |
| "type": "string" | |
| }, | |
| "pull_request_number": { | |
| "description": "Pull request number to push changes to. This is the numeric ID from the GitHub URL (e.g., 654 in github.com/owner/repo/pull/654). Required when the workflow target is '*' (any PR).", | |
| "type": [ | |
| "number", | |
| "string" | |
| ] | |
| } | |
| }, | |
| "required": [ | |
| "message" | |
| ], | |
| "type": "object" | |
| }, | |
| "name": "push_to_pull_request_branch" | |
| }, | |
| { | |
| "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "alternatives": { | |
| "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", | |
| "type": "string" | |
| }, | |
| "reason": { | |
| "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", | |
| "type": "string" | |
| }, | |
| "tool": { | |
| "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", | |
| "type": "string" | |
| } | |
| }, | |
| "required": [ | |
| "reason" | |
| ], | |
| "type": "object" | |
| }, | |
| "name": "missing_tool" | |
| }, | |
| { | |
| "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "message": { | |
| "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').", | |
| "type": "string" | |
| } | |
| }, | |
| "required": [ | |
| "message" | |
| ], | |
| "type": "object" | |
| }, | |
| "name": "noop" | |
| }, | |
| { | |
| "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "alternatives": { | |
| "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", | |
| "type": "string" | |
| }, | |
| "context": { | |
| "description": "Additional context about the missing data or where it should come from (max 256 characters).", | |
| "type": "string" | |
| }, | |
| "data_type": { | |
| "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", | |
| "type": "string" | |
| }, | |
| "reason": { | |
| "description": "Explanation of why this data is needed to complete the task (max 256 characters).", | |
| "type": "string" | |
| } | |
| }, | |
| "required": [], | |
| "type": "object" | |
| }, | |
| "name": "missing_data" | |
| } | |
| ] | |
| EOF | |
| cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' | |
| { | |
| "add_comment": { | |
| "defaultMax": 1, | |
| "fields": { | |
| "body": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 65000 | |
| }, | |
| "item_number": { | |
| "issueOrPRNumber": true | |
| } | |
| } | |
| }, | |
| "create_issue": { | |
| "defaultMax": 1, | |
| "fields": { | |
| "body": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 65000 | |
| }, | |
| "labels": { | |
| "type": "array", | |
| "itemType": "string", | |
| "itemSanitize": true, | |
| "itemMaxLength": 128 | |
| }, | |
| "parent": { | |
| "issueOrPRNumber": true | |
| }, | |
| "repo": { | |
| "type": "string", | |
| "maxLength": 256 | |
| }, | |
| "temporary_id": { | |
| "type": "string" | |
| }, | |
| "title": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 128 | |
| } | |
| } | |
| }, | |
| "missing_tool": { | |
| "defaultMax": 20, | |
| "fields": { | |
| "alternatives": { | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 512 | |
| }, | |
| "reason": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 256 | |
| }, | |
| "tool": { | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 128 | |
| } | |
| } | |
| }, | |
| "noop": { | |
| "defaultMax": 1, | |
| "fields": { | |
| "message": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 65000 | |
| } | |
| } | |
| }, | |
| "push_to_pull_request_branch": { | |
| "defaultMax": 1, | |
| "fields": { | |
| "branch": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 256 | |
| }, | |
| "message": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 65000 | |
| }, | |
| "pull_request_number": { | |
| "issueOrPRNumber": true | |
| } | |
| } | |
| } | |
| } | |
| EOF | |
| - name: Generate Safe Outputs MCP Server Config | |
| id: safe-outputs-config | |
| run: | | |
| # Generate a secure random API key (360 bits of entropy, 40+ chars) | |
| API_KEY="" | |
| API_KEY=$(openssl rand -base64 45 | tr -d '/+=') | |
| PORT=3001 | |
| # Register API key as secret to mask it from logs | |
| echo "::add-mask::${API_KEY}" | |
| # Set outputs for next steps | |
| { | |
| echo "safe_outputs_api_key=${API_KEY}" | |
| echo "safe_outputs_port=${PORT}" | |
| } >> "$GITHUB_OUTPUT" | |
| echo "Safe Outputs MCP server will run on port ${PORT}" | |
| - name: Start Safe Outputs MCP HTTP Server | |
| id: safe-outputs-start | |
| env: | |
| GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} | |
| GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} | |
| GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json | |
| GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json | |
| GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs | |
| run: | | |
| # Environment variables are set above to prevent template injection | |
| export GH_AW_SAFE_OUTPUTS_PORT | |
| export GH_AW_SAFE_OUTPUTS_API_KEY | |
| export GH_AW_SAFE_OUTPUTS_TOOLS_PATH | |
| export GH_AW_SAFE_OUTPUTS_CONFIG_PATH | |
| export GH_AW_MCP_LOG_DIR | |
| bash /opt/gh-aw/actions/start_safe_outputs_server.sh | |
| - name: Start MCP gateway | |
| id: start-mcp-gateway | |
| env: | |
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} | |
| GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} | |
| GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} | |
| GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -eo pipefail | |
| mkdir -p /tmp/gh-aw/mcp-config | |
| # Export gateway environment variables for MCP config and gateway script | |
| export MCP_GATEWAY_PORT="80" | |
| export MCP_GATEWAY_DOMAIN="host.docker.internal" | |
| MCP_GATEWAY_API_KEY="" | |
| MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') | |
| export MCP_GATEWAY_API_KEY | |
| # Register API key as secret to mask it from logs | |
| echo "::add-mask::${MCP_GATEWAY_API_KEY}" | |
| export GH_AW_ENGINE="copilot" | |
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.86' | |
| mkdir -p /home/runner/.copilot | |
| cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh | |
| { | |
| "mcpServers": { | |
| "github": { | |
| "type": "stdio", | |
| "container": "ghcr.io/github/github-mcp-server:v0.30.2", | |
| "env": { | |
| "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", | |
| "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", | |
| "GITHUB_READ_ONLY": "1", | |
| "GITHUB_TOOLSETS": "all" | |
| } | |
| }, | |
| "safeoutputs": { | |
| "type": "http", | |
| "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", | |
| "headers": { | |
| "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" | |
| } | |
| } | |
| }, | |
| "gateway": { | |
| "port": $MCP_GATEWAY_PORT, | |
| "domain": "${MCP_GATEWAY_DOMAIN}", | |
| "apiKey": "${MCP_GATEWAY_API_KEY}" | |
| } | |
| } | |
| MCPCONFIG_EOF | |
| - name: Generate agentic run info | |
| id: generate_aw_info | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const awInfo = { | |
| engine_id: "copilot", | |
| engine_name: "GitHub Copilot CLI", | |
| model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", | |
| version: "", | |
| agent_version: "0.0.400", | |
| cli_version: "v0.39.0", | |
| workflow_name: "PR Fix", | |
| experimental: false, | |
| supports_tools_allowlist: true, | |
| supports_http_transport: true, | |
| run_id: context.runId, | |
| run_number: context.runNumber, | |
| run_attempt: process.env.GITHUB_RUN_ATTEMPT, | |
| repository: context.repo.owner + '/' + context.repo.repo, | |
| ref: context.ref, | |
| sha: context.sha, | |
| actor: context.actor, | |
| event_name: context.eventName, | |
| staged: false, | |
| allowed_domains: ["defaults"], | |
| firewall_enabled: true, | |
| awf_version: "v0.11.2", | |
| awmg_version: "v0.0.86", | |
| steps: { | |
| firewall: "squid" | |
| }, | |
| created_at: new Date().toISOString() | |
| }; | |
| // Write to /tmp/gh-aw directory to avoid inclusion in PR | |
| const tmpPath = '/tmp/gh-aw/aw_info.json'; | |
| fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2)); | |
| console.log('Generated aw_info.json at:', tmpPath); | |
| console.log(JSON.stringify(awInfo, null, 2)); | |
| // Set model as output for reuse in other steps/jobs | |
| core.setOutput('model', awInfo.model); | |
| - name: Generate workflow overview | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); | |
| await generateWorkflowOverview(core); | |
| - name: Create prompt with built-in context | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| GH_AW_GITHUB_ACTOR: ${{ github.actor }} | |
| GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} | |
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} | |
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | |
| GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} | |
| GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} | |
| GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} | |
| GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} | |
| run: | | |
| bash /opt/gh-aw/actions/create_prompt_first.sh | |
| cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" | |
| <system> | |
| PROMPT_EOF | |
| cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" | |
| cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" | |
| cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| <safe-outputs> | |
| <description>GitHub API Access Instructions</description> | |
| <important> | |
| The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations. | |
| </important> | |
| <instructions> | |
| To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. | |
| Discover available tools from the safeoutputs MCP server. | |
| **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. | |
| **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. | |
| </instructions> | |
| </safe-outputs> | |
| <github-context> | |
| The following GitHub context information is available for this workflow: | |
| {{#if __GH_AW_GITHUB_ACTOR__ }} | |
| - **actor**: __GH_AW_GITHUB_ACTOR__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_REPOSITORY__ }} | |
| - **repository**: __GH_AW_GITHUB_REPOSITORY__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_WORKSPACE__ }} | |
| - **workspace**: __GH_AW_GITHUB_WORKSPACE__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} | |
| - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} | |
| - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} | |
| - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} | |
| - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_RUN_ID__ }} | |
| - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ | |
| {{/if}} | |
| </github-context> | |
| PROMPT_EOF | |
| if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then | |
| cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" | |
| fi | |
| cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| </system> | |
| PROMPT_EOF | |
| cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| {{#runtime-import workflows/pr-fix.md}} | |
| PROMPT_EOF | |
| - name: Substitute placeholders | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GH_AW_GITHUB_ACTOR: ${{ github.actor }} | |
| GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} | |
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} | |
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | |
| GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} | |
| GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} | |
| GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} | |
| GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} | |
| with: | |
| script: | | |
| const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); | |
| // Call the substitution function | |
| return await substitutePlaceholders({ | |
| file: process.env.GH_AW_PROMPT, | |
| substitutions: { | |
| GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, | |
| GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, | |
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, | |
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, | |
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, | |
| GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, | |
| GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, | |
| GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE, | |
| GH_AW_IS_PR_COMMENT: process.env.GH_AW_IS_PR_COMMENT | |
| } | |
| }); | |
| - name: Interpolate variables and render templates | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); | |
| await main(); | |
| - name: Validate prompt placeholders | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh | |
| - name: Print prompt | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| run: bash /opt/gh-aw/actions/print_prompt_summary.sh | |
| - name: Execute GitHub Copilot CLI | |
| id: agentic_execution | |
| # Copilot CLI tool arguments (sorted): | |
| # --allow-tool github | |
| # --allow-tool safeoutputs | |
| # --allow-tool shell | |
| # --allow-tool web_fetch | |
| # --allow-tool write | |
| timeout-minutes: 20 | |
| run: | | |
| set -o pipefail | |
| GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS | |
| mkdir -p "$HOME/.cache" | |
| sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ | |
| -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool web_fetch --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ | |
| 2>&1 | tee /tmp/gh-aw/agent-stdio.log | |
| env: | |
| COPILOT_AGENT_RUNNER_TYPE: STANDALONE | |
| COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} | |
| GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json | |
| GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| GITHUB_HEAD_REF: ${{ github.head_ref }} | |
| GITHUB_REF_NAME: ${{ github.ref_name }} | |
| GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} | |
| GITHUB_WORKSPACE: ${{ github.workspace }} | |
| XDG_CONFIG_HOME: /home/runner | |
| - name: Copy Copilot session state files to logs | |
| if: always() | |
| continue-on-error: true | |
| run: | | |
| # Copy Copilot session state files to logs folder for artifact collection | |
| # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them | |
| SESSION_STATE_DIR="$HOME/.copilot/session-state" | |
| LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs" | |
| if [ -d "$SESSION_STATE_DIR" ]; then | |
| echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR" | |
| mkdir -p "$LOGS_DIR" | |
| cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true | |
| echo "Session state files copied successfully" | |
| else | |
| echo "No session-state directory found at $SESSION_STATE_DIR" | |
| fi | |
| - name: Stop MCP gateway | |
| if: always() | |
| continue-on-error: true | |
| env: | |
| MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} | |
| MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} | |
| GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} | |
| run: | | |
| bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" | |
| - name: Redact secrets in logs | |
| if: always() | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); | |
| await main(); | |
| env: | |
| GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' | |
| SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} | |
| SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} | |
| SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} | |
| SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Safe Outputs | |
| if: always() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: safe-output | |
| path: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| if-no-files-found: warn | |
| - name: Ingest agent output | |
| id: collect_output | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" | |
| GITHUB_SERVER_URL: ${{ github.server_url }} | |
| GITHUB_API_URL: ${{ github.api_url }} | |
| GH_AW_COMMAND: pr-fix | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); | |
| await main(); | |
| - name: Upload sanitized agent output | |
| if: always() && env.GH_AW_AGENT_OUTPUT | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: agent-output | |
| path: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| if-no-files-found: warn | |
| - name: Upload engine output files | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: agent_outputs | |
| path: | | |
| /tmp/gh-aw/sandbox/agent/logs/ | |
| /tmp/gh-aw/redacted-urls.log | |
| if-no-files-found: ignore | |
| - name: Parse agent logs for step summary | |
| if: always() | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); | |
| await main(); | |
| - name: Parse MCP gateway logs for step summary | |
| if: always() | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); | |
| await main(); | |
| - name: Print firewall logs | |
| if: always() | |
| continue-on-error: true | |
| env: | |
| AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs | |
| run: | | |
| # Fix permissions on firewall logs so they can be uploaded as artifacts | |
| # AWF runs with sudo, creating files owned by root | |
| sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true | |
| awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" | |
| - name: Upload agent artifacts | |
| if: always() | |
| continue-on-error: true | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: agent-artifacts | |
| path: | | |
| /tmp/gh-aw/aw-prompts/prompt.txt | |
| /tmp/gh-aw/aw_info.json | |
| /tmp/gh-aw/mcp-logs/ | |
| /tmp/gh-aw/sandbox/firewall/logs/ | |
| /tmp/gh-aw/agent-stdio.log | |
| /tmp/gh-aw/aw.patch | |
| if-no-files-found: ignore | |
| conclusion: | |
| needs: | |
| - activation | |
| - agent | |
| - detection | |
| - safe_outputs | |
| if: (always()) && (needs.agent.result != 'skipped') | |
| runs-on: ubuntu-slim | |
| permissions: | |
| contents: read | |
| discussions: write | |
| issues: write | |
| pull-requests: write | |
| outputs: | |
| noop_message: ${{ steps.noop.outputs.noop_message }} | |
| tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} | |
| total_count: ${{ steps.missing_tool.outputs.total_count }} | |
| steps: | |
| - name: Setup Scripts | |
| uses: githubnext/gh-aw/actions/setup@10f1341b529f9a8b51c463e191b7dd63d4caccfd # v0.39.0 | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Generate GitHub App token | |
| id: safe-outputs-app-token | |
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | |
| with: | |
| app-id: ${{ vars.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| repositories: ${{ github.event.repository.name }} | |
| github-api-url: ${{ github.api_url }} | |
| permission-contents: read | |
| permission-discussions: write | |
| permission-issues: write | |
| permission-pull-requests: write | |
| - name: Debug job inputs | |
| env: | |
| COMMENT_ID: ${{ needs.activation.outputs.comment_id }} | |
| COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} | |
| AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} | |
| AGENT_CONCLUSION: ${{ needs.agent.result }} | |
| run: | | |
| echo "Comment ID: $COMMENT_ID" | |
| echo "Comment Repo: $COMMENT_REPO" | |
| echo "Agent Output Types: $AGENT_OUTPUT_TYPES" | |
| echo "Agent Conclusion: $AGENT_CONCLUSION" | |
| - name: Download agent output artifact | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-output | |
| path: /tmp/gh-aw/safeoutputs/ | |
| - name: Setup agent output environment variable | |
| run: | | |
| mkdir -p /tmp/gh-aw/safeoutputs/ | |
| find "/tmp/gh-aw/safeoutputs/" -type f -print | |
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" | |
| - name: Process No-Op Messages | |
| id: noop | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_NOOP_MAX: 1 | |
| GH_AW_WORKFLOW_NAME: "PR Fix" | |
| GH_AW_WORKFLOW_SOURCE: "githubnext/agentics/workflows/pr-fix.md@1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32" | |
| GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/githubnext/agentics/tree/1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32/workflows/pr-fix.md" | |
| with: | |
| github-token: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/noop.cjs'); | |
| await main(); | |
| - name: Record Missing Tool | |
| id: missing_tool | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_WORKFLOW_NAME: "PR Fix" | |
| GH_AW_WORKFLOW_SOURCE: "githubnext/agentics/workflows/pr-fix.md@1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32" | |
| GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/githubnext/agentics/tree/1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32/workflows/pr-fix.md" | |
| with: | |
| github-token: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); | |
| await main(); | |
| - name: Handle Agent Failure | |
| id: handle_agent_failure | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_WORKFLOW_NAME: "PR Fix" | |
| GH_AW_WORKFLOW_SOURCE: "githubnext/agentics/workflows/pr-fix.md@1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32" | |
| GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/githubnext/agentics/tree/1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32/workflows/pr-fix.md" | |
| GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} | |
| GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} | |
| with: | |
| github-token: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); | |
| await main(); | |
| - name: Update reaction comment with completion status | |
| id: conclusion | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }} | |
| GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} | |
| GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| GH_AW_WORKFLOW_NAME: "PR Fix" | |
| GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} | |
| GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.result }} | |
| with: | |
| github-token: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); | |
| await main(); | |
| - name: Invalidate GitHub App token | |
| if: always() && steps.safe-outputs-app-token.outputs.token != '' | |
| env: | |
| TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| run: | | |
| echo "Revoking GitHub App installation token..." | |
| # GitHub CLI will auth with the token being revoked. | |
| gh api \ | |
| --method DELETE \ | |
| -H "Authorization: token $TOKEN" \ | |
| /installation/token || echo "Token revoke may already be expired." | |
| echo "Token invalidation step complete." | |
| detection: | |
| needs: agent | |
| if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: {} | |
| timeout-minutes: 10 | |
| outputs: | |
| success: ${{ steps.parse_results.outputs.success }} | |
| steps: | |
| - name: Setup Scripts | |
| uses: githubnext/gh-aw/actions/setup@10f1341b529f9a8b51c463e191b7dd63d4caccfd # v0.39.0 | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Download agent artifacts | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-artifacts | |
| path: /tmp/gh-aw/threat-detection/ | |
| - name: Download agent output artifact | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-output | |
| path: /tmp/gh-aw/threat-detection/ | |
| - name: Echo agent output types | |
| env: | |
| AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} | |
| run: | | |
| echo "Agent output-types: $AGENT_OUTPUT_TYPES" | |
| - name: Setup threat detection | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| WORKFLOW_NAME: "PR Fix" | |
| WORKFLOW_DESCRIPTION: "This workflow makes fixes to pull requests on-demand by the '/pr-fix' command.\nAnalyzes failing CI checks, identifies root causes from error logs, implements fixes,\nruns tests and formatters, and pushes corrections to the PR branch. Provides detailed\ncomments explaining changes made. Helps rapidly resolve PR blockers and keep\ndevelopment flowing." | |
| HAS_PATCH: ${{ needs.agent.outputs.has_patch }} | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); | |
| await main(); | |
| - name: Ensure threat-detection directory and log | |
| run: | | |
| mkdir -p /tmp/gh-aw/threat-detection | |
| touch /tmp/gh-aw/threat-detection/detection.log | |
| - name: Validate COPILOT_GITHUB_TOKEN secret | |
| id: validate-secret | |
| run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default | |
| env: | |
| COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} | |
| - name: Install GitHub Copilot CLI | |
| run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.400 | |
| - name: Execute GitHub Copilot CLI | |
| id: agentic_execution | |
| # Copilot CLI tool arguments (sorted): | |
| # --allow-tool shell(cat) | |
| # --allow-tool shell(grep) | |
| # --allow-tool shell(head) | |
| # --allow-tool shell(jq) | |
| # --allow-tool shell(ls) | |
| # --allow-tool shell(tail) | |
| # --allow-tool shell(wc) | |
| timeout-minutes: 20 | |
| run: | | |
| set -o pipefail | |
| COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" | |
| mkdir -p /tmp/ | |
| mkdir -p /tmp/gh-aw/ | |
| mkdir -p /tmp/gh-aw/agent/ | |
| mkdir -p /tmp/gh-aw/sandbox/agent/logs/ | |
| copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool 'shell(cat)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(jq)' --allow-tool 'shell(ls)' --allow-tool 'shell(tail)' --allow-tool 'shell(wc)' --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log | |
| env: | |
| COPILOT_AGENT_RUNNER_TYPE: STANDALONE | |
| COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} | |
| GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GITHUB_HEAD_REF: ${{ github.head_ref }} | |
| GITHUB_REF_NAME: ${{ github.ref_name }} | |
| GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} | |
| GITHUB_WORKSPACE: ${{ github.workspace }} | |
| XDG_CONFIG_HOME: /home/runner | |
| - name: Parse threat detection results | |
| id: parse_results | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); | |
| await main(); | |
| - name: Upload threat detection log | |
| if: always() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: threat-detection.log | |
| path: /tmp/gh-aw/threat-detection/detection.log | |
| if-no-files-found: ignore | |
| pre_activation: | |
| if: > | |
| (github.event_name == 'issues') && (contains(github.event.issue.body, '/pr-fix')) || | |
| (github.event_name == 'issue_comment') && | |
| ((contains(github.event.comment.body, '/pr-fix')) && (github.event.issue.pull_request == null)) || | |
| (github.event_name == 'issue_comment') && | |
| ((contains(github.event.comment.body, '/pr-fix')) && (github.event.issue.pull_request != null)) || | |
| (github.event_name == 'pull_request_review_comment') && | |
| (contains(github.event.comment.body, '/pr-fix')) || (github.event_name == 'pull_request') && | |
| (contains(github.event.pull_request.body, '/pr-fix')) || | |
| (github.event_name == 'discussion') && (contains(github.event.discussion.body, '/pr-fix')) || | |
| (github.event_name == 'discussion_comment') && | |
| (contains(github.event.comment.body, '/pr-fix')) | |
| runs-on: ubuntu-slim | |
| permissions: | |
| discussions: write | |
| issues: write | |
| pull-requests: write | |
| outputs: | |
| activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }} | |
| matched_command: ${{ steps.check_command_position.outputs.matched_command }} | |
| steps: | |
| - name: Setup Scripts | |
| uses: githubnext/gh-aw/actions/setup@10f1341b529f9a8b51c463e191b7dd63d4caccfd # v0.39.0 | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Add eyes reaction for immediate feedback | |
| id: react | |
| if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_REACTION: "eyes" | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); | |
| await main(); | |
| - name: Check team membership for command workflow | |
| id: check_membership | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_REQUIRED_ROLES: admin,maintainer,write | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); | |
| await main(); | |
| - name: Check command position | |
| id: check_command_position | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_COMMANDS: "[\"pr-fix\"]" | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); | |
| await main(); | |
| safe_outputs: | |
| needs: | |
| - activation | |
| - agent | |
| - detection | |
| if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') | |
| runs-on: ubuntu-slim | |
| permissions: | |
| contents: write | |
| discussions: write | |
| issues: write | |
| pull-requests: write | |
| timeout-minutes: 15 | |
| env: | |
| GH_AW_ENGINE_ID: "copilot" | |
| GH_AW_WORKFLOW_ID: "pr-fix" | |
| GH_AW_WORKFLOW_NAME: "PR Fix" | |
| GH_AW_WORKFLOW_SOURCE: "githubnext/agentics/workflows/pr-fix.md@1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32" | |
| GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/githubnext/agentics/tree/1ef9dbe65e8265b57fe2ffa76098457cf3ae2b32/workflows/pr-fix.md" | |
| outputs: | |
| process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} | |
| process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} | |
| steps: | |
| - name: Setup Scripts | |
| uses: githubnext/gh-aw/actions/setup@10f1341b529f9a8b51c463e191b7dd63d4caccfd # v0.39.0 | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Download agent output artifact | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-output | |
| path: /tmp/gh-aw/safeoutputs/ | |
| - name: Setup agent output environment variable | |
| run: | | |
| mkdir -p /tmp/gh-aw/safeoutputs/ | |
| find "/tmp/gh-aw/safeoutputs/" -type f -print | |
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" | |
| - name: Download patch artifact | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-artifacts | |
| path: /tmp/gh-aw/ | |
| - name: Generate GitHub App token | |
| id: safe-outputs-app-token | |
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | |
| with: | |
| app-id: ${{ vars.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| repositories: ${{ github.event.repository.name }} | |
| github-api-url: ${{ github.api_url }} | |
| permission-contents: write | |
| permission-discussions: write | |
| permission-issues: write | |
| permission-pull-requests: write | |
| - name: Checkout repository | |
| if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| with: | |
| token: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - name: Configure Git credentials | |
| if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) | |
| env: | |
| REPO_NAME: ${{ github.repository }} | |
| SERVER_URL: ${{ github.server_url }} | |
| GIT_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| run: | | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| # Re-authenticate git with GitHub token | |
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | |
| git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | |
| echo "Git configured with standard GitHub Actions identity" | |
| - name: Process Safe Outputs | |
| id: process_safe_outputs | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"max\":1,\"title_prefix\":\"${{ github.workflow }}\"},\"missing_data\":{},\"missing_tool\":{},\"push_to_pull_request_branch\":{\"base_branch\":\"${{ github.ref_name }}\",\"if_no_changes\":\"warn\",\"max_patch_size\":1024}}" | |
| with: | |
| github-token: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); | |
| await main(); | |
| - name: Invalidate GitHub App token | |
| if: always() && steps.safe-outputs-app-token.outputs.token != '' | |
| env: | |
| TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} | |
| run: | | |
| echo "Revoking GitHub App installation token..." | |
| # GitHub CLI will auth with the token being revoked. | |
| gh api \ | |
| --method DELETE \ | |
| -H "Authorization: token $TOKEN" \ | |
| /installation/token || echo "Token revoke may already be expired." | |
| echo "Token invalidation step complete." | |