From 9475590f0d55d95c013620b1bad7b6d1ea4a3748 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 28 May 2026 09:15:43 +0000 Subject: [PATCH 1/4] Initial plan From b1f4018b24b4d5b32815b631e8d0d300d5a77b0d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 28 May 2026 09:26:15 +0000 Subject: [PATCH 2/4] Fix aw-auto-update: add allow-workflows and github-app for workflow file push The workflow was failing with "refusing to allow a GitHub App to create or update workflow without workflows permission" because pushing .github/workflows/ files requires the workflows:write permission. Fix by adding: - allow-workflows: true to create-pull-request and push-to-pull-request-branch - github-app config (client-id/private-key) required for workflows permission - Fixed deprecated labels/title-prefix in push-to-pull-request-branch Co-authored-by: T-Gro <46543583+T-Gro@users.noreply.github.com> --- .github/workflows/aw-auto-update.lock.yml | 110 +++++++++++++++++----- .github/workflows/aw-auto-update.md | 9 +- 2 files changed, 92 insertions(+), 27 deletions(-) diff --git a/.github/workflows/aw-auto-update.lock.yml b/.github/workflows/aw-auto-update.lock.yml index 86f1d628a1c..8e48bfa3500 100644 --- a/.github/workflows/aw-auto-update.lock.yml +++ b/.github/workflows/aw-auto-update.lock.yml @@ -1,5 +1,5 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c44a2f68ba9ebc265231a8a921ca9879b1d2d5a4ff2f39778a6b2a2999a00052","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"35552cbe58722f4f300c6443584709661ca758b237f987fb17c67d88e4d5ae76","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_APP_PRIVATE_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/create-github-app-token","sha":"bcd2ba49218906704ab6c1aa796996da409d3eb1","version":"v3.2.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -27,6 +27,7 @@ # # Secrets used: # - COPILOT_GITHUB_TOKEN +# - GH_AW_APP_PRIVATE_KEY # - GH_AW_CI_TRIGGER_TOKEN # - GH_AW_GITHUB_MCP_SERVER_TOKEN # - GH_AW_GITHUB_TOKEN @@ -34,6 +35,7 @@ # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 +# - actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 @@ -189,24 +191,24 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_96b5579e2ed86490_EOF' + cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' - GH_AW_PROMPT_96b5579e2ed86490_EOF + GH_AW_PROMPT_e573aa99315ca182_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_96b5579e2ed86490_EOF' + cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' Tools: create_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop - GH_AW_PROMPT_96b5579e2ed86490_EOF + GH_AW_PROMPT_e573aa99315ca182_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_create_pull_request.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" - cat << 'GH_AW_PROMPT_96b5579e2ed86490_EOF' + cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' - GH_AW_PROMPT_96b5579e2ed86490_EOF + GH_AW_PROMPT_e573aa99315ca182_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_96b5579e2ed86490_EOF' + cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' The following GitHub context information is available for this workflow: {{#if github.actor}} @@ -238,12 +240,12 @@ jobs: - **Note**: If a branch you need is not in the list above and is not listed as an additional fetched ref, it has NOT been checked out. For private repositories you cannot fetch it without proper authentication. If the branch is required and not available, exit with an error and ask the user to add it to the `fetch:` option of the `checkout:` configuration (e.g., `fetch: ["refs/pulls/open/*"]` for all open PR refs, or `fetch: ["main", "feature/my-branch"]` for specific branches). - GH_AW_PROMPT_96b5579e2ed86490_EOF + GH_AW_PROMPT_e573aa99315ca182_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_96b5579e2ed86490_EOF' + cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' {{#runtime-import .github/workflows/aw-auto-update.md}} - GH_AW_PROMPT_96b5579e2ed86490_EOF + GH_AW_PROMPT_e573aa99315ca182_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -448,9 +450,9 @@ jobs: mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_9d88d7a86ef27a50_EOF' + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_ee2dec122e9a1714_EOF' {"create_pull_request":{"allowed_files":[".github/workflows/*.md",".github/workflows/*.lock.yml",".github/workflows/shared/**",".github/aw/**",".github/agents/**"],"draft":false,"labels":["automation"],"max":1,"max_patch_files":100,"max_patch_size":1024,"protect_top_level_dot_folders":true,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","DESIGN.md","README.md","CONTRIBUTING.md","CHANGELOG.md","SECURITY.md","CODE_OF_CONDUCT.md","AGENTS.md","CLAUDE.md","GEMINI.md"],"protected_files_policy":"fallback-to-issue","title_prefix":"[Auto Update] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"push_to_pull_request_branch":{"allowed_files":[".github/workflows/*.md",".github/workflows/*.lock.yml",".github/workflows/shared/**",".github/aw/**",".github/agents/**"],"if_no_changes":"warn","max":1,"max_patch_size":1024,"protect_top_level_dot_folders":true,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","DESIGN.md","README.md","CONTRIBUTING.md","CHANGELOG.md","SECURITY.md","CODE_OF_CONDUCT.md","AGENTS.md","CLAUDE.md","GEMINI.md"],"protected_files_policy":"fallback-to-issue","required_labels":["automation"],"target":"*","title_prefix":"[Auto Update] "},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_9d88d7a86ef27a50_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_ee2dec122e9a1714_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -682,7 +684,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_518a6cfd15c91356_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_4ea7d07f0a759450_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -726,7 +728,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_518a6cfd15c91356_EOF + GH_AW_MCP_CONFIG_4ea7d07f0a759450_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true @@ -993,6 +995,20 @@ jobs: GH_AW_INFO_VERSION: "1.0.52" GH_AW_INFO_AWF_VERSION: "v0.25.55" GH_AW_INFO_ENGINE_ID: "copilot" + - name: Generate GitHub App token + id: safe-outputs-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ vars.GH_AW_APP_CLIENT_ID }} + private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ github.event.repository.name }} + github-api-url: ${{ github.api_url }} + permission-administration: read + permission-contents: write + permission-issues: write + permission-pull-requests: write + permission-workflows: write - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1019,7 +1035,7 @@ jobs: GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_NOOP_REPORT_AS_ISSUE: "false" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); @@ -1036,7 +1052,7 @@ jobs: GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }} GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }} with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); @@ -1051,7 +1067,7 @@ jobs: GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); @@ -1066,7 +1082,7 @@ jobs: GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); @@ -1096,6 +1112,8 @@ jobs: GH_AW_ENGINE_API_HOSTS: "api.enterprise.githubcopilot.com,api.githubcopilot.com,api.business.githubcopilot.com,api.individual.githubcopilot.com" GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} + GH_AW_SAFE_OUTPUTS_APP_TOKEN_MINTING_FAILED: ${{ needs.safe_outputs.outputs.app_token_minting_failed }} + GH_AW_CONCLUSION_APP_TOKEN_MINTING_FAILED: ${{ steps.safe-outputs-app-token.outcome == 'failure' }} GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }} GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }} GH_AW_GROUP_REPORTS: "false" @@ -1105,12 +1123,25 @@ jobs: GH_AW_TIMEOUT_MINUTES: "15" GH_AW_MAX_EFFECTIVE_TOKENS: "25000000" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs'); await main(); + - name: Invalidate GitHub App token + if: always() && steps.safe-outputs-app-token.outputs.token != '' + env: + TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} + run: | + echo "Revoking GitHub App installation token..." + # GitHub CLI will auth with the token being revoked. + gh api \ + --method DELETE \ + -H "Authorization: token $TOKEN" \ + /installation/token || echo "Token revoke may already be expired." + + echo "Token invalidation step complete." detection: needs: @@ -1338,6 +1369,7 @@ jobs: GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" outputs: + app_token_minting_failed: ${{ steps.safe-outputs-app-token.outcome == 'failure' }} code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }} code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }} create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} @@ -1383,6 +1415,20 @@ jobs: with: name: agent path: /tmp/gh-aw/ + - name: Generate GitHub App token + id: safe-outputs-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ vars.GH_AW_APP_CLIENT_ID }} + private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ github.event.repository.name }} + github-api-url: ${{ github.api_url }} + permission-administration: read + permission-contents: write + permission-issues: write + permission-pull-requests: write + permission-workflows: write - name: Extract base branch from agent output id: extract-base-branch if: steps.download-agent-output.outcome == 'success' @@ -1411,7 +1457,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.repository.default_branch }} - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ steps.safe-outputs-app-token.outputs.token }} persist-credentials: false fetch-depth: 1 - name: Checkout repository @@ -1419,7 +1465,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ steps.extract-base-branch.outputs.base-branch || github.base_ref || github.event.pull_request.base.ref || github.ref_name || github.event.repository.default_branch }} - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ steps.safe-outputs-app-token.outputs.token }} persist-credentials: false fetch-depth: 1 - name: Configure Git credentials @@ -1427,7 +1473,7 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} - GIT_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GIT_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" @@ -1456,13 +1502,27 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"allowed_files\":[\".github/workflows/*.md\",\".github/workflows/*.lock.yml\",\".github/workflows/shared/**\",\".github/aw/**\",\".github/agents/**\"],\"draft\":false,\"labels\":[\"automation\"],\"max\":1,\"max_patch_files\":100,\"max_patch_size\":1024,\"protect_top_level_dot_folders\":true,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"DESIGN.md\",\"README.md\",\"CONTRIBUTING.md\",\"CHANGELOG.md\",\"SECURITY.md\",\"CODE_OF_CONDUCT.md\",\"AGENTS.md\",\"CLAUDE.md\",\"GEMINI.md\"],\"protected_files_policy\":\"fallback-to-issue\",\"title_prefix\":\"[Auto Update] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"push_to_pull_request_branch\":{\"allowed_files\":[\".github/workflows/*.md\",\".github/workflows/*.lock.yml\",\".github/workflows/shared/**\",\".github/aw/**\",\".github/agents/**\"],\"if_no_changes\":\"warn\",\"max\":1,\"max_patch_size\":1024,\"protect_top_level_dot_folders\":true,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"DESIGN.md\",\"README.md\",\"CONTRIBUTING.md\",\"CHANGELOG.md\",\"SECURITY.md\",\"CODE_OF_CONDUCT.md\",\"AGENTS.md\",\"CLAUDE.md\",\"GEMINI.md\"],\"protected_files_policy\":\"fallback-to-issue\",\"required_labels\":[\"automation\"],\"target\":\"*\",\"title_prefix\":\"[Auto Update] \"},\"report_incomplete\":{}}" GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} + GITHUB_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.safe-outputs-app-token.outputs.token }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); + - name: Invalidate GitHub App token + if: always() && steps.safe-outputs-app-token.outputs.token != '' + env: + TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} + run: | + echo "Revoking GitHub App installation token..." + # GitHub CLI will auth with the token being revoked. + gh api \ + --method DELETE \ + -H "Authorization: token $TOKEN" \ + /installation/token || echo "Token revoke may already be expired." + + echo "Token invalidation step complete." - name: Upload Safe Outputs Items if: always() uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 diff --git a/.github/workflows/aw-auto-update.md b/.github/workflows/aw-auto-update.md index 8ca4e52ee54..3aa67e65bcb 100644 --- a/.github/workflows/aw-auto-update.md +++ b/.github/workflows/aw-auto-update.md @@ -27,6 +27,9 @@ tools: bash: true safe-outputs: + github-app: + client-id: ${{ vars.GH_AW_APP_CLIENT_ID }} + private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }} noop: report-as-issue: false create-pull-request: @@ -34,6 +37,7 @@ safe-outputs: title-prefix: "[Auto Update] " labels: [automation] max: 1 + allow-workflows: true allowed-files: - ".github/workflows/*.md" - ".github/workflows/*.lock.yml" @@ -43,9 +47,10 @@ safe-outputs: protected-files: fallback-to-issue push-to-pull-request-branch: target: "*" - title-prefix: "[Auto Update] " - labels: [automation] + required-title-prefix: "[Auto Update] " + required-labels: [automation] max: 1 + allow-workflows: true allowed-files: - ".github/workflows/*.md" - ".github/workflows/*.lock.yml" From 5ee5e16ddefac518772054f79b635cd1f2c8c13d Mon Sep 17 00:00:00 2001 From: Tomas Grosup Date: Thu, 28 May 2026 15:51:00 +0200 Subject: [PATCH 3/4] Replace push-to-workflow flow with create-agent-session delegation The previous attempt added a GitHub App with new required secrets to bypass GitHub's rule that GITHUB_TOKEN cannot push under .github/workflows/. The repo has no GH App and no plan to provision one. Make aw-auto-update detection-only: its safe outputs are restricted to noop (the normal steady state) and create-agent-session. When an upgrade is detected, the workflow delegates the actual upgrade + recompile + PR work to a Copilot Coding Agent session authenticated via COPILOT_GITHUB_TOKEN, which already exists in the repo and can write workflow files under its own identity. No new secrets, no GitHub App, no allow-workflows. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/aw-auto-update.lock.yml | 285 +++++----------------- .github/workflows/aw-auto-update.md | 169 +++++++++---- 2 files changed, 175 insertions(+), 279 deletions(-) diff --git a/.github/workflows/aw-auto-update.lock.yml b/.github/workflows/aw-auto-update.lock.yml index 8e48bfa3500..35532b8b30b 100644 --- a/.github/workflows/aw-auto-update.lock.yml +++ b/.github/workflows/aw-auto-update.lock.yml @@ -1,5 +1,5 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"35552cbe58722f4f300c6443584709661ca758b237f987fb17c67d88e4d5ae76","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_APP_PRIVATE_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/create-github-app-token","sha":"bcd2ba49218906704ab6c1aa796996da409d3eb1","version":"v3.2.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d6083f9baf6dda3837c0aef23d23be245ebf1e27b6e3bfd4fc841b89842b59cc","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -22,20 +22,25 @@ # # For more information: https://github.github.com/gh-aw/introduction/overview/ # -# Keeps agentic workflows up to date by running `gh aw upgrade` and `gh aw compile` daily. -# If changes are detected, pushes them to a long-lived branch and creates or updates a PR. +# Detects whether the gh-aw infrastructure has pending updates. The detection +# run itself has zero write surface: its only outputs are `noop` (nothing to do — +# the normal steady state) or `create-agent-session` (delegate the actual +# upgrade + recompile + PR to a Copilot Coding Agent session). +# +# Rationale: `gh aw compile` writes to `.github/workflows/*.lock.yml`, but the +# default `GITHUB_TOKEN` cannot push under `.github/workflows/` (GitHub platform +# rule). Rather than provisioning a GitHub App or PAT, this workflow delegates +# the write work to a Copilot Coding Agent session, which runs under its own +# identity (COPILOT_GITHUB_TOKEN) and can write workflow files. # # Secrets used: # - COPILOT_GITHUB_TOKEN -# - GH_AW_APP_PRIVATE_KEY -# - GH_AW_CI_TRIGGER_TOKEN # - GH_AW_GITHUB_MCP_SERVER_TOKEN # - GH_AW_GITHUB_TOKEN # - GITHUB_TOKEN # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -# - actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 @@ -50,7 +55,7 @@ # - ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4 # - node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 -name: "Agentic Workflow Auto-Update" +name: "Agentic Workflow Auto-Update — Detection" on: schedule: - cron: "52 */24 * * *" @@ -68,7 +73,7 @@ permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" -run-name: "Agentic Workflow Auto-Update" +run-name: "Agentic Workflow Auto-Update — Detection" jobs: activation: @@ -95,7 +100,7 @@ jobs: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} env: - GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/aw-auto-update.lock.yml@${{ github.ref }} GH_AW_INFO_VERSION: "1.0.52" GH_AW_INFO_AWF_VERSION: "v0.25.55" @@ -109,7 +114,7 @@ jobs: GH_AW_INFO_VERSION: "1.0.52" GH_AW_INFO_AGENT_VERSION: "1.0.52" GH_AW_INFO_CLI_VERSION: "v0.76.1" - GH_AW_INFO_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_INFO_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" GH_AW_INFO_STAGED: "false" @@ -191,24 +196,20 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' + cat << 'GH_AW_PROMPT_7fc58f21a6ccf771_EOF' - GH_AW_PROMPT_e573aa99315ca182_EOF + GH_AW_PROMPT_7fc58f21a6ccf771_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' + cat << 'GH_AW_PROMPT_7fc58f21a6ccf771_EOF' - Tools: create_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop - GH_AW_PROMPT_e573aa99315ca182_EOF - cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" - cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' + Tools: create_agent_session, missing_tool, missing_data, noop - GH_AW_PROMPT_e573aa99315ca182_EOF + GH_AW_PROMPT_7fc58f21a6ccf771_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' + cat << 'GH_AW_PROMPT_7fc58f21a6ccf771_EOF' The following GitHub context information is available for this workflow: {{#if github.actor}} @@ -240,12 +241,12 @@ jobs: - **Note**: If a branch you need is not in the list above and is not listed as an additional fetched ref, it has NOT been checked out. For private repositories you cannot fetch it without proper authentication. If the branch is required and not available, exit with an error and ask the user to add it to the `fetch:` option of the `checkout:` configuration (e.g., `fetch: ["refs/pulls/open/*"]` for all open PR refs, or `fetch: ["main", "feature/my-branch"]` for specific branches). - GH_AW_PROMPT_e573aa99315ca182_EOF + GH_AW_PROMPT_7fc58f21a6ccf771_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_e573aa99315ca182_EOF' + cat << 'GH_AW_PROMPT_7fc58f21a6ccf771_EOF' {{#runtime-import .github/workflows/aw-auto-update.md}} - GH_AW_PROMPT_e573aa99315ca182_EOF + GH_AW_PROMPT_7fc58f21a6ccf771_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -359,7 +360,7 @@ jobs: trace-id: ${{ needs.activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }} env: - GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/aw-auto-update.lock.yml@${{ github.ref }} GH_AW_INFO_VERSION: "1.0.52" GH_AW_INFO_AWF_VERSION: "v0.25.55" @@ -446,64 +447,39 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.55 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55 ghcr.io/github/gh-aw-firewall/squid:0.25.55 ghcr.io/github/gh-aw-mcpg:v0.3.19 ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4 node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 - name: Generate Safe Outputs Config + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_ee2dec122e9a1714_EOF' - {"create_pull_request":{"allowed_files":[".github/workflows/*.md",".github/workflows/*.lock.yml",".github/workflows/shared/**",".github/aw/**",".github/agents/**"],"draft":false,"labels":["automation"],"max":1,"max_patch_files":100,"max_patch_size":1024,"protect_top_level_dot_folders":true,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","DESIGN.md","README.md","CONTRIBUTING.md","CHANGELOG.md","SECURITY.md","CODE_OF_CONDUCT.md","AGENTS.md","CLAUDE.md","GEMINI.md"],"protected_files_policy":"fallback-to-issue","title_prefix":"[Auto Update] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"push_to_pull_request_branch":{"allowed_files":[".github/workflows/*.md",".github/workflows/*.lock.yml",".github/workflows/shared/**",".github/aw/**",".github/agents/**"],"if_no_changes":"warn","max":1,"max_patch_size":1024,"protect_top_level_dot_folders":true,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","DESIGN.md","README.md","CONTRIBUTING.md","CHANGELOG.md","SECURITY.md","CODE_OF_CONDUCT.md","AGENTS.md","CLAUDE.md","GEMINI.md"],"protected_files_policy":"fallback-to-issue","required_labels":["automation"],"target":"*","title_prefix":"[Auto Update] "},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_ee2dec122e9a1714_EOF + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_3821d7120be5d209_EOF + {"create_agent_session":{"base":"main","github-token":"${COPILOT_GITHUB_TOKEN}","max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"report_incomplete":{}} + GH_AW_SAFE_OUTPUTS_CONFIG_3821d7120be5d209_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | { "description_suffixes": { - "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[Auto Update] \". Labels [\"automation\"] will be automatically added.", - "push_to_pull_request_branch": " CONSTRAINTS: Maximum 1 push(es) can be made. The target pull request title must start with \"[Auto Update] \"." + "create_agent_session": " CONSTRAINTS: Maximum 1 agent task(s) can be created. Base branch for tasks: \"main\"." }, "repo_params": {}, "dynamic_tools": [] } GH_AW_VALIDATION_JSON: | { - "create_pull_request": { + "create_agent_session": { "defaultMax": 1, "fields": { - "base": { - "type": "string", - "sanitize": true, - "maxLength": 128 - }, "body": { "required": true, "type": "string", "sanitize": true, "maxLength": 65000 }, - "branch": { - "required": true, - "type": "string", - "sanitize": true, - "maxLength": 256 - }, - "draft": { - "type": "boolean" - }, - "labels": { - "type": "array", - "itemType": "string", - "itemSanitize": true, - "itemMaxLength": 128 - }, "repo": { "type": "string", "maxLength": 256 - }, - "title": { - "required": true, - "type": "string", - "sanitize": true, - "maxLength": 128 } } }, @@ -564,26 +540,6 @@ jobs: } } }, - "push_to_pull_request_branch": { - "defaultMax": 1, - "fields": { - "branch": { - "required": true, - "type": "string", - "sanitize": true, - "maxLength": 256 - }, - "message": { - "required": true, - "type": "string", - "sanitize": true, - "maxLength": 65000 - }, - "pull_request_number": { - "issueOrPRNumber": true - } - } - }, "report_incomplete": { "defaultMax": 5, "fields": { @@ -684,7 +640,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_4ea7d07f0a759450_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_fd16d513a6a5ac3a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -694,7 +650,7 @@ jobs: "GITHUB_HOST": "\${GITHUB_SERVER_URL}", "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", "GITHUB_READ_ONLY": "1", - "GITHUB_TOOLSETS": "pull_requests" + "GITHUB_TOOLSETS": "pull_requests,issues" }, "guard-policies": { "allow-only": { @@ -728,7 +684,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_4ea7d07f0a759450_EOF + GH_AW_MCP_CONFIG_fd16d513a6a5ac3a_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true @@ -968,9 +924,8 @@ jobs: needs.activation.outputs.stale_lock_file_failed == 'true') runs-on: ubuntu-slim permissions: - contents: write + contents: read issues: write - pull-requests: write concurrency: group: "gh-aw-conclusion-aw-auto-update" cancel-in-progress: false @@ -990,25 +945,11 @@ jobs: trace-id: ${{ needs.activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }} env: - GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/aw-auto-update.lock.yml@${{ github.ref }} GH_AW_INFO_VERSION: "1.0.52" GH_AW_INFO_AWF_VERSION: "v0.25.55" GH_AW_INFO_ENGINE_ID: "copilot" - - name: Generate GitHub App token - id: safe-outputs-app-token - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 - with: - client-id: ${{ vars.GH_AW_APP_CLIENT_ID }} - private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: ${{ github.event.repository.name }} - github-api-url: ${{ github.api_url }} - permission-administration: read - permission-contents: write - permission-issues: write - permission-pull-requests: write - permission-workflows: write - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1029,13 +970,13 @@ jobs: env: GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }} GH_AW_NOOP_MAX: "1" - GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_NOOP_REPORT_AS_ISSUE: "false" with: - github-token: ${{ steps.safe-outputs-app-token.outputs.token }} + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); @@ -1046,13 +987,13 @@ jobs: uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }} GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }} with: - github-token: ${{ steps.safe-outputs-app-token.outputs.token }} + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); @@ -1064,10 +1005,10 @@ jobs: env: GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }} GH_AW_MISSING_TOOL_CREATE_ISSUE: "true" - GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" with: - github-token: ${{ steps.safe-outputs-app-token.outputs.token }} + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); @@ -1079,10 +1020,10 @@ jobs: env: GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }} GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true" - GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" with: - github-token: ${{ steps.safe-outputs-app-token.outputs.token }} + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); @@ -1094,7 +1035,7 @@ jobs: uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} @@ -1110,10 +1051,6 @@ jobs: GH_AW_AGENTIC_ENGINE_TIMEOUT: ${{ needs.agent.outputs.agentic_engine_timeout }} GH_AW_MODEL_NOT_SUPPORTED_ERROR: ${{ needs.agent.outputs.model_not_supported_error }} GH_AW_ENGINE_API_HOSTS: "api.enterprise.githubcopilot.com,api.githubcopilot.com,api.business.githubcopilot.com,api.individual.githubcopilot.com" - GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} - GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} - GH_AW_SAFE_OUTPUTS_APP_TOKEN_MINTING_FAILED: ${{ needs.safe_outputs.outputs.app_token_minting_failed }} - GH_AW_CONCLUSION_APP_TOKEN_MINTING_FAILED: ${{ steps.safe-outputs-app-token.outcome == 'failure' }} GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }} GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }} GH_AW_GROUP_REPORTS: "false" @@ -1123,25 +1060,12 @@ jobs: GH_AW_TIMEOUT_MINUTES: "15" GH_AW_MAX_EFFECTIVE_TOKENS: "25000000" with: - github-token: ${{ steps.safe-outputs-app-token.outputs.token }} + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs'); await main(); - - name: Invalidate GitHub App token - if: always() && steps.safe-outputs-app-token.outputs.token != '' - env: - TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} - run: | - echo "Revoking GitHub App installation token..." - # GitHub CLI will auth with the token being revoked. - gh api \ - --method DELETE \ - -H "Authorization: token $TOKEN" \ - /installation/token || echo "Token revoke may already be expired." - - echo "Token invalidation step complete." detection: needs: @@ -1166,7 +1090,7 @@ jobs: trace-id: ${{ needs.activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }} env: - GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/aw-auto-update.lock.yml@${{ github.ref }} GH_AW_INFO_VERSION: "1.0.52" GH_AW_INFO_AWF_VERSION: "v0.25.55" @@ -1235,8 +1159,8 @@ jobs: if: always() && steps.detection_guard.outputs.run_detection == 'true' uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: - WORKFLOW_NAME: "Agentic Workflow Auto-Update" - WORKFLOW_DESCRIPTION: "Keeps agentic workflows up to date by running `gh aw upgrade` and `gh aw compile` daily.\nIf changes are detected, pushes them to a long-lived branch and creates or updates a PR." + WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" + WORKFLOW_DESCRIPTION: "Detects whether the gh-aw infrastructure has pending updates. The detection\nrun itself has zero write surface: its only outputs are `noop` (nothing to do —\nthe normal steady state) or `create-agent-session` (delegate the actual\nupgrade + recompile + PR to a Copilot Coding Agent session).\n\nRationale: `gh aw compile` writes to `.github/workflows/*.lock.yml`, but the\ndefault `GITHUB_TOKEN` cannot push under `.github/workflows/` (GitHub platform\nrule). Rather than provisioning a GitHub App or PAT, this workflow delegates\nthe write work to a Copilot Coding Agent session, which runs under its own\nidentity (COPILOT_GITHUB_TOKEN) and can write workflow files." HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | @@ -1353,9 +1277,8 @@ jobs: if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success' runs-on: ubuntu-slim permissions: - contents: write + contents: read issues: write - pull-requests: write timeout-minutes: 15 env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/aw-auto-update" @@ -1366,20 +1289,17 @@ jobs: GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }} GH_AW_ENGINE_VERSION: "1.0.52" GH_AW_WORKFLOW_ID: "aw-auto-update" - GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/aw-auto-update.md" outputs: - app_token_minting_failed: ${{ steps.safe-outputs-app-token.outcome == 'failure' }} code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }} code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }} + create_agent_session_session_number: ${{ steps.process_safe_outputs.outputs.session_number }} + create_agent_session_session_url: ${{ steps.process_safe_outputs.outputs.session_url }} create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} - created_pr_number: ${{ steps.process_safe_outputs.outputs.created_pr_number }} - created_pr_url: ${{ steps.process_safe_outputs.outputs.created_pr_url }} process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} - push_commit_sha: ${{ steps.process_safe_outputs.outputs.push_commit_sha }} - push_commit_url: ${{ steps.process_safe_outputs.outputs.push_commit_url }} steps: - name: Setup Scripts id: setup @@ -1390,7 +1310,7 @@ jobs: trace-id: ${{ needs.activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }} env: - GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update" + GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Auto-Update — Detection" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/aw-auto-update.lock.yml@${{ github.ref }} GH_AW_INFO_VERSION: "1.0.52" GH_AW_INFO_AWF_VERSION: "v0.25.55" @@ -1409,79 +1329,6 @@ jobs: mkdir -p /tmp/gh-aw/ find "/tmp/gh-aw/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT" - - name: Download patch artifact - continue-on-error: true - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: agent - path: /tmp/gh-aw/ - - name: Generate GitHub App token - id: safe-outputs-app-token - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 - with: - client-id: ${{ vars.GH_AW_APP_CLIENT_ID }} - private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: ${{ github.event.repository.name }} - github-api-url: ${{ github.api_url }} - permission-administration: read - permission-contents: write - permission-issues: write - permission-pull-requests: write - permission-workflows: write - - name: Extract base branch from agent output - id: extract-base-branch - if: steps.download-agent-output.outcome == 'success' - shell: bash - run: | - if [ -f "/tmp/gh-aw/agent_output.json" ]; then - GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - BASE_BRANCH=$("$GH_AW_NODE" -e " - try { - const data = JSON.parse(require('fs').readFileSync('/tmp/gh-aw/agent_output.json', 'utf8')); - const item = (data.items || []).find(i => - (i.type === 'create_pull_request' || i.type === 'push_to_pull_request_branch') && - i.base_branch - ); - if (item) process.stdout.write(item.base_branch); - } catch(e) {} - " 2>/dev/null || true) - # Validate: only allow safe git branch name characters - if [[ "$BASE_BRANCH" =~ ^[a-zA-Z0-9/_.-]+$ ]] && [ ${#BASE_BRANCH} -le 255 ]; then - printf 'base-branch=%s\n' "$BASE_BRANCH" >> "$GITHUB_OUTPUT" - echo "Extracted base branch from safe output: $BASE_BRANCH" - fi - fi - - name: Checkout repository (trusted default branch for comment events) - if: ((!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') || (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) && (github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - ref: ${{ github.event.repository.default_branch }} - token: ${{ steps.safe-outputs-app-token.outputs.token }} - persist-credentials: false - fetch-depth: 1 - - name: Checkout repository - if: ((!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') || (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) && github.event_name != 'issue_comment' && github.event_name != 'pull_request_review_comment' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - ref: ${{ steps.extract-base-branch.outputs.base-branch || github.base_ref || github.event.pull_request.base.ref || github.ref_name || github.event.repository.default_branch }} - token: ${{ steps.safe-outputs-app-token.outputs.token }} - persist-credentials: false - fetch-depth: 1 - - name: Configure Git credentials - if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') || (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') - env: - REPO_NAME: ${{ github.repository }} - SERVER_URL: ${{ github.server_url }} - GIT_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} - run: | - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git config --global user.name "github-actions[bot]" - git config --global am.keepcr true - # Re-authenticate git with GitHub token - SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" - echo "Git configured with standard GitHub Actions identity" - name: Configure GH_HOST for enterprise compatibility id: ghes-host-config shell: bash @@ -1500,29 +1347,15 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,patch-diff.githubusercontent.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"allowed_files\":[\".github/workflows/*.md\",\".github/workflows/*.lock.yml\",\".github/workflows/shared/**\",\".github/aw/**\",\".github/agents/**\"],\"draft\":false,\"labels\":[\"automation\"],\"max\":1,\"max_patch_files\":100,\"max_patch_size\":1024,\"protect_top_level_dot_folders\":true,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"DESIGN.md\",\"README.md\",\"CONTRIBUTING.md\",\"CHANGELOG.md\",\"SECURITY.md\",\"CODE_OF_CONDUCT.md\",\"AGENTS.md\",\"CLAUDE.md\",\"GEMINI.md\"],\"protected_files_policy\":\"fallback-to-issue\",\"title_prefix\":\"[Auto Update] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"push_to_pull_request_branch\":{\"allowed_files\":[\".github/workflows/*.md\",\".github/workflows/*.lock.yml\",\".github/workflows/shared/**\",\".github/aw/**\",\".github/agents/**\"],\"if_no_changes\":\"warn\",\"max\":1,\"max_patch_size\":1024,\"protect_top_level_dot_folders\":true,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"DESIGN.md\",\"README.md\",\"CONTRIBUTING.md\",\"CHANGELOG.md\",\"SECURITY.md\",\"CODE_OF_CONDUCT.md\",\"AGENTS.md\",\"CLAUDE.md\",\"GEMINI.md\"],\"protected_files_policy\":\"fallback-to-issue\",\"required_labels\":[\"automation\"],\"target\":\"*\",\"title_prefix\":\"[Auto Update] \"},\"report_incomplete\":{}}" - GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} - GITHUB_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_agent_session\":{\"base\":\"main\",\"github-token\":\"${{ secrets.COPILOT_GITHUB_TOKEN }}\",\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"report_incomplete\":{}}" + GH_AW_AGENT_SESSION_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} with: - github-token: ${{ steps.safe-outputs-app-token.outputs.token }} + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - - name: Invalidate GitHub App token - if: always() && steps.safe-outputs-app-token.outputs.token != '' - env: - TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }} - run: | - echo "Revoking GitHub App installation token..." - # GitHub CLI will auth with the token being revoked. - gh api \ - --method DELETE \ - -H "Authorization: token $TOKEN" \ - /installation/token || echo "Token revoke may already be expired." - - echo "Token invalidation step complete." - name: Upload Safe Outputs Items if: always() uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 diff --git a/.github/workflows/aw-auto-update.md b/.github/workflows/aw-auto-update.md index 3aa67e65bcb..68dea9cc266 100644 --- a/.github/workflows/aw-auto-update.md +++ b/.github/workflows/aw-auto-update.md @@ -1,7 +1,15 @@ --- description: | - Keeps agentic workflows up to date by running `gh aw upgrade` and `gh aw compile` daily. - If changes are detected, pushes them to a long-lived branch and creates or updates a PR. + Detects whether the gh-aw infrastructure has pending updates. The detection + run itself has zero write surface: its only outputs are `noop` (nothing to do — + the normal steady state) or `create-agent-session` (delegate the actual + upgrade + recompile + PR to a Copilot Coding Agent session). + + Rationale: `gh aw compile` writes to `.github/workflows/*.lock.yml`, but the + default `GITHUB_TOKEN` cannot push under `.github/workflows/` (GitHub platform + rule). Rather than provisioning a GitHub App or PAT, this workflow delegates + the write work to a Copilot Coding Agent session, which runs under its own + identity (COPILOT_GITHUB_TOKEN) and can write workflow files. on: schedule: every 24h @@ -22,67 +30,122 @@ checkout: tools: github: - toolsets: [pull_requests] + toolsets: [pull_requests, issues] min-integrity: none bash: true safe-outputs: - github-app: - client-id: ${{ vars.GH_AW_APP_CLIENT_ID }} - private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }} noop: report-as-issue: false - create-pull-request: - draft: false - title-prefix: "[Auto Update] " - labels: [automation] - max: 1 - allow-workflows: true - allowed-files: - - ".github/workflows/*.md" - - ".github/workflows/*.lock.yml" - - ".github/workflows/shared/**" - - ".github/aw/**" - - ".github/agents/**" - protected-files: fallback-to-issue - push-to-pull-request-branch: - target: "*" - required-title-prefix: "[Auto Update] " - required-labels: [automation] + create-agent-session: + base: main max: 1 - allow-workflows: true - allowed-files: - - ".github/workflows/*.md" - - ".github/workflows/*.lock.yml" - - ".github/workflows/shared/**" - - ".github/aw/**" - - ".github/agents/**" - protected-files: fallback-to-issue + github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} --- -# Agentic Workflow Auto-Update +# Agentic Workflow Auto-Update — Detection + +You detect whether the gh-aw infrastructure has pending updates and, if so, delegate the actual upgrade work to a Copilot Coding Agent session. **You never commit, push, comment, create issues directly, or open PRs.** Your only allowed safe outputs are `noop` (the normal/expected steady state) and `create-agent-session` (delegate to CCA). -You are a maintenance bot that keeps the repository's agentic workflow infrastructure current. +## Background + +- This repo uses **GitHub Agentic Workflows (`gh aw`)** — source: , docs: . +- Files managed by `gh aw` (the only paths that should ever change as a result of an upgrade): + - `.github/workflows/*.md` — agentic workflow sources + - `.github/workflows/*.lock.yml` — compiled lock files (generated by `gh aw compile`) + - `.github/workflows/shared/**` + - `.github/aw/**` (incl. `actions-lock.json` with pinned action SHAs) + - `.github/agents/**` +- The `create-agent-session` safe output used here is documented at . The safe-outputs job invokes `gh agent-task create` using `COPILOT_GITHUB_TOKEN`, which spawns a Copilot Coding Agent run that has the perms required to write `.github/workflows/`. ## Task -Run these steps in order and stop as soon as one tells you to exit: - -1. **Install gh-aw**: If `gh aw --version` fails, install the extension by running `gh extension install github/gh-aw`. If both fail, report the error and exit immediately. -2. **Upgrade**: Run `gh aw upgrade` to update the gh-aw CLI version and apply any codemods. If the command fails, report the error and exit immediately. -3. **Compile**: Run `gh aw compile` to recompile all workflows. If the command reports errors, report them and exit immediately. -4. **Check for changes**: Run `git diff` to see if anything changed. -5. **If no changes**: Report "Already up to date" and exit immediately. Do not search for PRs, do not run any other commands. -6. **If changes exist**: - - Check if an open PR titled `[Auto Update] Agentic workflows` already exists (search open PRs). - - If a PR exists, push the changes to its branch (`agentics/auto-update-gh-aw`) to update it. Leave a brief comment noting what changed (e.g. "Updated gh-aw-actions/setup from vX to vY"). - - If no PR exists, create a new PR from branch `agentics/auto-update-gh-aw` to `main` with title `[Auto Update] Agentic workflows` and a body summarizing the changes. - -## Rules - -- Only run `gh extension install github/gh-aw`, `gh aw upgrade`, and `gh aw compile`. Do **not** run `go` commands, `npm` commands, or any other package manager or build tool. Do **not** attempt to fix dependency resolution errors or edit generated files (go.mod, go.sum, package.json, etc.) manually. -- Only commit changes to files managed by `gh aw`: `.github/workflows/`, `.github/aw/`, `.github/agents/`. -- Use a single commit with message: `Update agentic workflows via gh aw upgrade`. -- The branch name must always be `agentics/auto-update-gh-aw`. -- If `gh aw upgrade` or `gh aw compile` fails, report the error output and exit. Do **not** try to fix the failure. -- Be concise in PR descriptions and comments. +Run these steps in order: + +1. **Install `gh-aw`.** Run `gh extension install github/gh-aw` (skip if `gh aw --version` already succeeds). If install fails, emit `noop` and stop. +2. **Upgrade.** Run `gh aw upgrade`. If it fails, emit `noop` and stop — do **not** try to fix the failure. +3. **Compile.** Run `gh aw compile`. If it reports errors, emit `noop` and stop. +4. **Capture state for the delegation payload (only used if changes are detected):** + - `NEW_VERSION` ← `gh aw --version` + - `DIFF_STAT` ← `git diff --stat` + - `CHANGED_FILES` ← `git diff --name-only` +5. **Reset working tree.** Run `git reset --hard && git clean -fd` so no local changes leak out of this detection run. +6. **Dedupe check.** Search for an already-open follow-up: + - Open PRs titled `[Auto Update] Agentic workflows` (`gh pr list --search "[Auto Update] Agentic workflows in:title" --state open`). + - Open issues titled `[Auto Update] Agentic workflows` (`gh issue list --search "[Auto Update] Agentic workflows in:title" --state open`) — these are the Copilot agent-session issues from previous runs. + - If **either** exists, emit `noop` and stop. The previous run's PR/session is still pending. +7. **Decide and emit exactly one safe output:** + - `CHANGED_FILES` is empty → emit a single `noop`. **This is the normal/expected outcome on most runs — do not treat it as a failure and do not create an issue.** + - Otherwise → emit a single `create-agent-session` whose `body` is the template in the next section, with ``, ``, and `` substituted. + +## Agent session description (template) + +Use this exact body for the `create-agent-session` output. Title prefix `[Auto Update] Agentic workflows` is required (the dedupe check in step 6 looks for it). + +````markdown +# [Auto Update] Agentic workflows → gh-aw + +The scheduled `aw-auto-update` detection run found that re-running +`gh aw upgrade && gh aw compile` against `main` produces a non-empty diff. +Please apply that diff and open a PR. + +## Steps + +1. Install the gh-aw CLI extension (skip if already installed): + ```bash + gh extension install github/gh-aw + ``` +2. Apply codemods and bump pinned action SHAs: + ```bash + gh aw upgrade + ``` +3. Recompile all workflows (regenerates `.github/workflows/*.lock.yml`): + ```bash + gh aw compile + ``` +4. Stage **only** files managed by `gh aw`: + - `.github/workflows/*.md` + - `.github/workflows/*.lock.yml` + - `.github/workflows/shared/**` + - `.github/aw/**` + - `.github/agents/**` +5. Commit with message: `Update agentic workflows via gh aw upgrade` +6. Open a PR to `main` titled `[Auto Update] Agentic workflows`. Keep the body + short — one line summarizing what changed (e.g. "gh-aw v0.X → v0.Y, codemods + applied"). The Files tab shows the diff; do not list files in the body. + +## Hard rules + +- Do **not** run `go`, `npm`, or any package manager / build tool. +- Do **not** hand-edit `go.mod`, `go.sum`, `package.json`, or any dependency manifest. +- Do **not** hand-edit generated `*.lock.yml` files — only `gh aw compile` writes those. +- If `gh aw upgrade` or `gh aw compile` fails, stop and comment with the error + output. Do **not** try to fix it — open an issue for a human instead. + +## References + +- gh-aw repo: +- gh-aw docs: +- `gh aw upgrade` reference: +- `gh aw compile` reference: + +## Detection evidence + +- `gh aw --version` on the detection run: `` +- `git diff --stat`: + ``` + + ``` +- `git diff --name-only`: + ``` + + ``` +```` + +## Rules (for this detection workflow) + +- Only commands you may run: `gh extension install github/gh-aw`, `gh aw --version`, `gh aw upgrade`, `gh aw compile`, `git diff`, `git reset`, `git clean`, `gh pr list`, `gh issue list`. +- Never run `go`, `npm`, or any package manager / build tool. +- Never commit, push, comment, create issues directly, or open PRs. Your only safe outputs are `noop` and `create-agent-session`. +- Emit exactly one safe output per run. +- `noop` is the expected steady state — do not report it as a failure and do not create an issue for it. From 662cedcbc7249df42d54be2a4dbacb84d3d9181d Mon Sep 17 00:00:00 2001 From: Tomas Grosup Date: Thu, 28 May 2026 17:56:26 +0200 Subject: [PATCH 4/4] Remove explicit github-token from create-agent-session Creating the agent task is an API-only call from the safe-outputs runner; the runner does not touch workflow files (that happens later in the spawned CCA session, under CCA's own identity). Default GITHUB_TOKEN with issues:write should handle it. If gh agent-task create needs more later, we'll add it then. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/aw-auto-update.lock.yml | 37 +++++++++++------------ .github/workflows/aw-auto-update.md | 1 - 2 files changed, 18 insertions(+), 20 deletions(-) diff --git a/.github/workflows/aw-auto-update.lock.yml b/.github/workflows/aw-auto-update.lock.yml index 35532b8b30b..f2d2c99daff 100644 --- a/.github/workflows/aw-auto-update.lock.yml +++ b/.github/workflows/aw-auto-update.lock.yml @@ -1,5 +1,5 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d6083f9baf6dda3837c0aef23d23be245ebf1e27b6e3bfd4fc841b89842b59cc","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"5118fa2dff6dd5edefa10062845dd96d72a3031fb0d8b19a48dcfe5d25bbf718","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -35,6 +35,7 @@ # # Secrets used: # - COPILOT_GITHUB_TOKEN +# - GH_AW_AGENT_TOKEN # - GH_AW_GITHUB_MCP_SERVER_TOKEN # - GH_AW_GITHUB_TOKEN # - GITHUB_TOKEN @@ -196,20 +197,20 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_7fc58f21a6ccf771_EOF' + cat << 'GH_AW_PROMPT_084889a3ffcd2e2f_EOF' - GH_AW_PROMPT_7fc58f21a6ccf771_EOF + GH_AW_PROMPT_084889a3ffcd2e2f_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_7fc58f21a6ccf771_EOF' + cat << 'GH_AW_PROMPT_084889a3ffcd2e2f_EOF' Tools: create_agent_session, missing_tool, missing_data, noop - GH_AW_PROMPT_7fc58f21a6ccf771_EOF + GH_AW_PROMPT_084889a3ffcd2e2f_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_7fc58f21a6ccf771_EOF' + cat << 'GH_AW_PROMPT_084889a3ffcd2e2f_EOF' The following GitHub context information is available for this workflow: {{#if github.actor}} @@ -241,12 +242,12 @@ jobs: - **Note**: If a branch you need is not in the list above and is not listed as an additional fetched ref, it has NOT been checked out. For private repositories you cannot fetch it without proper authentication. If the branch is required and not available, exit with an error and ask the user to add it to the `fetch:` option of the `checkout:` configuration (e.g., `fetch: ["refs/pulls/open/*"]` for all open PR refs, or `fetch: ["main", "feature/my-branch"]` for specific branches). - GH_AW_PROMPT_7fc58f21a6ccf771_EOF + GH_AW_PROMPT_084889a3ffcd2e2f_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_7fc58f21a6ccf771_EOF' + cat << 'GH_AW_PROMPT_084889a3ffcd2e2f_EOF' {{#runtime-import .github/workflows/aw-auto-update.md}} - GH_AW_PROMPT_7fc58f21a6ccf771_EOF + GH_AW_PROMPT_084889a3ffcd2e2f_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -447,15 +448,13 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.55 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55 ghcr.io/github/gh-aw-firewall/squid:0.25.55 ghcr.io/github/gh-aw-mcpg:v0.3.19 ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4 node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 - name: Generate Safe Outputs Config - env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_3821d7120be5d209_EOF - {"create_agent_session":{"base":"main","github-token":"${COPILOT_GITHUB_TOKEN}","max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_3821d7120be5d209_EOF + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_d0f164dc9c0aeebb_EOF' + {"create_agent_session":{"base":"main","max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"report_incomplete":{}} + GH_AW_SAFE_OUTPUTS_CONFIG_d0f164dc9c0aeebb_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -640,7 +639,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_fd16d513a6a5ac3a_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_28eaa69ff26e35a9_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -684,7 +683,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_fd16d513a6a5ac3a_EOF + GH_AW_MCP_CONFIG_28eaa69ff26e35a9_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true @@ -1347,8 +1346,8 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,patch-diff.githubusercontent.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_agent_session\":{\"base\":\"main\",\"github-token\":\"${{ secrets.COPILOT_GITHUB_TOKEN }}\",\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"report_incomplete\":{}}" - GH_AW_AGENT_SESSION_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_agent_session\":{\"base\":\"main\",\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"report_incomplete\":{}}" + GH_AW_AGENT_SESSION_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/aw-auto-update.md b/.github/workflows/aw-auto-update.md index 68dea9cc266..41fca3a54e9 100644 --- a/.github/workflows/aw-auto-update.md +++ b/.github/workflows/aw-auto-update.md @@ -40,7 +40,6 @@ safe-outputs: create-agent-session: base: main max: 1 - github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} --- # Agentic Workflow Auto-Update — Detection