diff --git a/.github/workflows/gh-aw-bug-hunter.lock.yml b/.github/workflows/gh-aw-bug-hunter.lock.yml index b5bf0541..41485c8f 100644 --- a/.github/workflows/gh-aw-bug-hunter.lock.yml +++ b/.github/workflows/gh-aw-bug-hunter.lock.yml @@ -32,15 +32,16 @@ # - gh-aw-fragments/messages-footer.md # - gh-aw-fragments/network-ecosystems.md # - gh-aw-fragments/pick-three-keep-one.md -# - gh-aw-fragments/previous-findings.md +# - gh-aw-fragments/previous-findings-target-repo.md # - gh-aw-fragments/rigor.md # - gh-aw-fragments/runtime-setup.md # - gh-aw-fragments/safe-output-create-issue.md # - gh-aw-fragments/scheduled-audit.md +# - gh-aw-fragments/vault-token.md # # inlined-imports: true # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ef21ef9e9db17115b521eea75b1098a7e250a4495331fb0f23166e78979cd13f"} +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"73974c891a9740d019eec7a9c4e4bdeb99fb80e4a50d7db5fb210357657e98f7"} name: "Bug Hunter" "on": @@ -77,14 +78,26 @@ name: "Bug Hunter" description: Shell commands to run before the agent starts (dependency install, build, etc.) required: false type: string + target-repo: + default: "" + description: Optional owner/repo slug to create issues in a remote repository + required: false + type: string title-prefix: default: "[bug-hunter]" description: Title prefix for created issues (e.g. '[bug-hunter]') required: false type: string + token-policy: + default: "" + description: Optional vault token policy used to mint an ephemeral GitHub token + required: false + type: string secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false permissions: {} @@ -213,6 +226,9 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' ## Formatting Guidelines @@ -614,10 +630,11 @@ jobs: name: Ensure full history run: "if git rev-parse --is-shallow-repository | grep -q true; then\n SERVER_URL_STRIPPED=\"${SERVER_URL#https://}\"\n git remote set-url origin \"https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n git fetch --unshallow --quiet\nfi" - env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} + TARGET_REPO: ${{ inputs.target-repo || github.repository }} TITLE_PREFIX: ${{ inputs.title-prefix }} name: List previous findings - run: "set -euo pipefail\ngh issue list \\\n --repo \"$GITHUB_REPOSITORY\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" + run: "set -euo pipefail\ngh issue list \\\n --repo \"$TARGET_REPO\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" - env: SETUP_COMMANDS: ${{ inputs.setup-commands }} if: ${{ inputs.setup-commands != '' }} @@ -642,9 +659,9 @@ jobs: (github.event.pull_request) || (github.event.issue.pull_request) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} with: - github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -720,7 +737,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { - "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \".", + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \". Issues will be created in repository \"${{ inputs.target-repo || '' }}\".", "inputSchema": { "additionalProperties": false, "properties": { @@ -1363,7 +1380,7 @@ jobs: GH_AW_NOOP_MAX: "1" GH_AW_WORKFLOW_NAME: "Bug Hunter" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1376,7 +1393,7 @@ jobs: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_WORKFLOW_NAME: "Bug Hunter" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1396,7 +1413,7 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"${{ inputs.messages-footer || '---\\n[What is this?](https://ela.st/github-ai-tools) | [From workflow: {workflow_name}]({run_url})\\n\\nGive us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.' }}\",\"activationComments\":\"false\"}" GH_AW_GROUP_REPORTS: "false" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1413,7 +1430,7 @@ jobs: GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} GH_AW_NOOP_REPORT_AS_ISSUE: "true" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1481,6 +1498,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Create ephemeral token + id: create-token + if: ${{ inputs.token-policy != '' }} + uses: elastic/oblt-actions/github/create-token@55166bdfaa06a86350bd4516af37ceae1d45b757 # 55166bdfaa06a86350bd4516af37ceae1d45b757 + with: + token-policy: ${{ inputs.token-policy }} - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1489,9 +1512,9 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,*.githubusercontent.com,*.hackage.haskell.org,*.jsr.io,*.pythonhosted.org,*.rvm.io,*.vsblob.vsassets.io,adoptium.net,agents-md-generator.fastmcp.app,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.rubygems.org,api.snapcraft.io,apt.llvm.org,apt.releases.hashicorp.com,archive.apache.org,archive.ubuntu.com,archlinux.org,artifacts.elastic.co,auth.docker.io,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bitbucket.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,builds.hex.pm,bun.sh,bundler.rubygems.org,cache.ruby-lang.org,cdn.azul.com,cdn.cocoapods.org,cdn.hex.pm,cdn.jsdelivr.net,cdn.playwright.dev,cdn.redhat.com,cdn.sheetjs.com,central.sonatype.com,ci.dot.net,clojars.org,cloud.elastic.co,cocoapods.org,code.jquery.com,codeload.github.com,conda.anaconda.org,conda.binstar.org,cpan.metacpan.org,cpan.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.jsdelivr.com,dc.services.visualstudio.com,deb.debian.org,deb.nodesource.com,debian.map.fastlydns.net,deno.land,dist.nuget.org,dl-cdn.alpinelinux.org,dl.bintray.com,dl.fedoraproject.org,dl.google.com,dl.k8s.io,dlcdn.apache.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.fedoraproject.org,download.java.net,download.opensuse.org,download.oracle.com,download.swift.org,downloads.gradle-dn.com,downloads.haskell.org,ela.st,elastic.co,elastic.dev,elastic.github.io,esm.sh,fastly.hex.pm,files.pythonhosted.org,fonts.googleapis.com,fonts.gstatic.com,gcr.io,ge.jetbrains.com,gems.rubyforge.org,gems.rubyonrails.org,get-ghcup.haskell.org,get.pnpm.io,getcomposer.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,gradle.org,haskell.org,hex.pm,host.docker.internal,index.crates.io,index.rubygems.org,jcenter.bintray.com,jdk.java.net,jitpack.io,json-schema.org,json.schemastore.org,jsr.io,keyring.debian.org,keyserver.ubuntu.com,kotlin.bintray.com,lfs.github.com,maven.apache.org,maven.google.com,maven.oracle.com,maven.pkg.github.com,mcr.microsoft.com,metacpan.org,mirror.archlinux.org,mirror.centos.org,mirrors.fedoraproject.org,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.debian.org,packages.jetbrains.team,packages.microsoft.com,packagist.org,pip.pypa.io,pkg.alpinelinux.org,pkg.go.dev,pkg.machengine.org,pkgs.dev.azure.com,pkgs.k8s.io,playwright.download.prss.microsoft.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,production.cloudflare.docker.com,productionresultssa0.blob.core.windows.net,productionresultssa1.blob.core.windows.net,productionresultssa10.blob.core.windows.net,productionresultssa11.blob.core.windows.net,productionresultssa12.blob.core.windows.net,productionresultssa13.blob.core.windows.net,productionresultssa14.blob.core.windows.net,productionresultssa15.blob.core.windows.net,productionresultssa16.blob.core.windows.net,productionresultssa17.blob.core.windows.net,productionresultssa18.blob.core.windows.net,productionresultssa19.blob.core.windows.net,productionresultssa2.blob.core.windows.net,productionresultssa3.blob.core.windows.net,productionresultssa4.blob.core.windows.net,productionresultssa5.blob.core.windows.net,productionresultssa6.blob.core.windows.net,productionresultssa7.blob.core.windows.net,productionresultssa8.blob.core.windows.net,productionresultssa9.blob.core.windows.net,proxy.golang.org,pub.dartlang.org,pub.dev,public-code-search.fastmcp.app,pypi.org,pypi.python.org,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.terraform.io,registry.yarnpkg.com,releases.hashicorp.com,repo.anaconda.com,repo.clojars.org,repo.continuum.io,repo.gradle.org,repo.grails.org,repo.hex.pm,repo.maven.apache.org,repo.packagist.org,repo.scala-sbt.org,repo.spring.io,repo.typesafe.com,repo.yarnpkg.com,repo1.maven.org,rubygems.org,rubygems.pkg.github.com,s.symcb.com,s.symcd.com,scala-ci.typesafe.com,security.debian.org,security.ubuntu.com,services.gradle.org,sh.rustup.rs,skimdb.npmjs.com,static.crates.io,static.rust-lang.org,storage.googleapis.com,sum.golang.org,swift.org,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,vault.centos.org,www.cpan.org,www.elastic.co,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com,yum.releases.hashicorp.com,ziglang.org" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":false,\"expires\":168,\"max\":1,\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":false,\"expires\":168,\"max\":1,\"target-repo\":\"${{ inputs.target-repo || '' }}\",\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); diff --git a/.github/workflows/gh-aw-bug-hunter.md b/.github/workflows/gh-aw-bug-hunter.md index b849ab78..ec76fb3e 100644 --- a/.github/workflows/gh-aw-bug-hunter.md +++ b/.github/workflows/gh-aw-bug-hunter.md @@ -5,13 +5,14 @@ description: "Find a reproducible, user-impacting bug and file a report issue" imports: - gh-aw-fragments/elastic-tools.md - gh-aw-fragments/runtime-setup.md + - gh-aw-fragments/vault-token.md - gh-aw-fragments/ensure-full-history.md - gh-aw-fragments/formatting.md - gh-aw-fragments/rigor.md - gh-aw-fragments/mcp-pagination.md - gh-aw-fragments/messages-footer.md - gh-aw-fragments/safe-output-create-issue.md - - gh-aw-fragments/previous-findings.md + - gh-aw-fragments/previous-findings-target-repo.md - gh-aw-fragments/pick-three-keep-one.md - gh-aw-fragments/scheduled-audit.md - gh-aw-fragments/network-ecosystems.md @@ -51,9 +52,21 @@ on: type: string required: false default: "[bug-hunter]" + target-repo: + description: "Optional owner/repo slug to create issues in a remote repository" + type: string + required: false + default: "" + token-policy: + description: "Optional vault token policy used to mint an ephemeral GitHub token" + type: string + required: false + default: "" secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false roles: [admin, maintainer, write] bots: - "${{ inputs.allowed-bot-users }}" @@ -76,6 +89,7 @@ safe-outputs: noop: create-issue: max: 1 + target-repo: "${{ inputs.target-repo || '' }}" title-prefix: "${{ inputs.title-prefix }} " close-older-issues: false expires: 7d diff --git a/.github/workflows/gh-aw-docs-drift.lock.yml b/.github/workflows/gh-aw-docs-drift.lock.yml index 249705ab..5130515a 100644 --- a/.github/workflows/gh-aw-docs-drift.lock.yml +++ b/.github/workflows/gh-aw-docs-drift.lock.yml @@ -37,15 +37,16 @@ # - gh-aw-fragments/messages-footer.md # - gh-aw-fragments/network-ecosystems.md # - gh-aw-fragments/pick-three-keep-many.md -# - gh-aw-fragments/previous-findings.md +# - gh-aw-fragments/previous-findings-target-repo.md # - gh-aw-fragments/rigor.md # - gh-aw-fragments/runtime-setup.md # - gh-aw-fragments/safe-output-create-issue.md # - gh-aw-fragments/scheduled-audit.md +# - gh-aw-fragments/vault-token.md # # inlined-imports: true # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"66bbbb473d86204ed1ecd6201d3a2640ea5fd714ab9d1360cf361c98aeed47dd"} +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c2891a818d1c4f018bed43f322fe6cf94d09e4e0c1f87718c7685c782a7762a6"} name: "Docs Patrol" "on": @@ -87,14 +88,26 @@ name: "Docs Patrol" description: Shell commands to run before the agent starts (dependency install, build, etc.) required: false type: string + target-repo: + default: "" + description: Optional owner/repo slug to create issues in a remote repository + required: false + type: string title-prefix: default: "[docs-patrol]" description: Title prefix for created issues (e.g. '[docs-patrol]') required: false type: string + token-policy: + default: "" + description: Optional vault token policy used to mint an ephemeral GitHub token + required: false + type: string secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false permissions: {} @@ -223,6 +236,9 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' ## Formatting Guidelines @@ -632,10 +648,11 @@ jobs: name: Ensure full history run: "if git rev-parse --is-shallow-repository | grep -q true; then\n SERVER_URL_STRIPPED=\"${SERVER_URL#https://}\"\n git remote set-url origin \"https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n git fetch --unshallow --quiet\nfi" - env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} + TARGET_REPO: ${{ inputs.target-repo || github.repository }} TITLE_PREFIX: ${{ inputs.title-prefix }} name: List previous findings - run: "set -euo pipefail\ngh issue list \\\n --repo \"$GITHUB_REPOSITORY\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" + run: "set -euo pipefail\ngh issue list \\\n --repo \"$TARGET_REPO\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" - env: SETUP_COMMANDS: ${{ inputs.setup-commands }} if: ${{ inputs.setup-commands != '' }} @@ -660,9 +677,9 @@ jobs: (github.event.pull_request) || (github.event.issue.pull_request) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} with: - github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -738,7 +755,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { - "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \".", + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \". Issues will be created in repository \"${{ inputs.target-repo || '' }}\".", "inputSchema": { "additionalProperties": false, "properties": { @@ -1381,7 +1398,7 @@ jobs: GH_AW_NOOP_MAX: "1" GH_AW_WORKFLOW_NAME: "Docs Patrol" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1394,7 +1411,7 @@ jobs: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_WORKFLOW_NAME: "Docs Patrol" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1414,7 +1431,7 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"${{ inputs.messages-footer || '---\\n[What is this?](https://ela.st/github-ai-tools) | [From workflow: {workflow_name}]({run_url})\\n\\nGive us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.' }}\",\"activationComments\":\"false\"}" GH_AW_GROUP_REPORTS: "false" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1431,7 +1448,7 @@ jobs: GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} GH_AW_NOOP_REPORT_AS_ISSUE: "true" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1499,6 +1516,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Create ephemeral token + id: create-token + if: ${{ inputs.token-policy != '' }} + uses: elastic/oblt-actions/github/create-token@55166bdfaa06a86350bd4516af37ceae1d45b757 # 55166bdfaa06a86350bd4516af37ceae1d45b757 + with: + token-policy: ${{ inputs.token-policy }} - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1507,9 +1530,9 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,*.githubusercontent.com,*.hackage.haskell.org,*.jsr.io,*.pythonhosted.org,*.rvm.io,*.vsblob.vsassets.io,adoptium.net,agents-md-generator.fastmcp.app,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.rubygems.org,api.snapcraft.io,apt.llvm.org,apt.releases.hashicorp.com,archive.apache.org,archive.ubuntu.com,archlinux.org,artifacts.elastic.co,auth.docker.io,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bitbucket.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,builds.hex.pm,bun.sh,bundler.rubygems.org,cache.ruby-lang.org,cdn.azul.com,cdn.cocoapods.org,cdn.hex.pm,cdn.jsdelivr.net,cdn.playwright.dev,cdn.redhat.com,cdn.sheetjs.com,central.sonatype.com,ci.dot.net,clojars.org,cloud.elastic.co,cocoapods.org,code.jquery.com,codeload.github.com,conda.anaconda.org,conda.binstar.org,cpan.metacpan.org,cpan.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.jsdelivr.com,dc.services.visualstudio.com,deb.debian.org,deb.nodesource.com,debian.map.fastlydns.net,deno.land,dist.nuget.org,dl-cdn.alpinelinux.org,dl.bintray.com,dl.fedoraproject.org,dl.google.com,dl.k8s.io,dlcdn.apache.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.fedoraproject.org,download.java.net,download.opensuse.org,download.oracle.com,download.swift.org,downloads.gradle-dn.com,downloads.haskell.org,ela.st,elastic.co,elastic.dev,elastic.github.io,esm.sh,fastly.hex.pm,files.pythonhosted.org,fonts.googleapis.com,fonts.gstatic.com,gcr.io,ge.jetbrains.com,gems.rubyforge.org,gems.rubyonrails.org,get-ghcup.haskell.org,get.pnpm.io,getcomposer.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,gradle.org,haskell.org,hex.pm,host.docker.internal,index.crates.io,index.rubygems.org,jcenter.bintray.com,jdk.java.net,jitpack.io,json-schema.org,json.schemastore.org,jsr.io,keyring.debian.org,keyserver.ubuntu.com,kotlin.bintray.com,lfs.github.com,maven.apache.org,maven.google.com,maven.oracle.com,maven.pkg.github.com,mcr.microsoft.com,metacpan.org,mirror.archlinux.org,mirror.centos.org,mirrors.fedoraproject.org,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.debian.org,packages.jetbrains.team,packages.microsoft.com,packagist.org,pip.pypa.io,pkg.alpinelinux.org,pkg.go.dev,pkg.machengine.org,pkgs.dev.azure.com,pkgs.k8s.io,playwright.download.prss.microsoft.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,production.cloudflare.docker.com,productionresultssa0.blob.core.windows.net,productionresultssa1.blob.core.windows.net,productionresultssa10.blob.core.windows.net,productionresultssa11.blob.core.windows.net,productionresultssa12.blob.core.windows.net,productionresultssa13.blob.core.windows.net,productionresultssa14.blob.core.windows.net,productionresultssa15.blob.core.windows.net,productionresultssa16.blob.core.windows.net,productionresultssa17.blob.core.windows.net,productionresultssa18.blob.core.windows.net,productionresultssa19.blob.core.windows.net,productionresultssa2.blob.core.windows.net,productionresultssa3.blob.core.windows.net,productionresultssa4.blob.core.windows.net,productionresultssa5.blob.core.windows.net,productionresultssa6.blob.core.windows.net,productionresultssa7.blob.core.windows.net,productionresultssa8.blob.core.windows.net,productionresultssa9.blob.core.windows.net,proxy.golang.org,pub.dartlang.org,pub.dev,public-code-search.fastmcp.app,pypi.org,pypi.python.org,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.terraform.io,registry.yarnpkg.com,releases.hashicorp.com,repo.anaconda.com,repo.clojars.org,repo.continuum.io,repo.gradle.org,repo.grails.org,repo.hex.pm,repo.maven.apache.org,repo.packagist.org,repo.scala-sbt.org,repo.spring.io,repo.typesafe.com,repo.yarnpkg.com,repo1.maven.org,rubygems.org,rubygems.pkg.github.com,s.symcb.com,s.symcd.com,scala-ci.typesafe.com,security.debian.org,security.ubuntu.com,services.gradle.org,sh.rustup.rs,skimdb.npmjs.com,static.crates.io,static.rust-lang.org,storage.googleapis.com,sum.golang.org,swift.org,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,vault.centos.org,www.cpan.org,www.elastic.co,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com,yum.releases.hashicorp.com,ziglang.org" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":false,\"expires\":168,\"max\":1,\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":false,\"expires\":168,\"max\":1,\"target-repo\":\"${{ inputs.target-repo || '' }}\",\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); diff --git a/.github/workflows/gh-aw-docs-patrol.lock.yml b/.github/workflows/gh-aw-docs-patrol.lock.yml index 174f481c..2f52baa3 100644 --- a/.github/workflows/gh-aw-docs-patrol.lock.yml +++ b/.github/workflows/gh-aw-docs-patrol.lock.yml @@ -32,15 +32,16 @@ # - gh-aw-fragments/messages-footer.md # - gh-aw-fragments/network-ecosystems.md # - gh-aw-fragments/pick-three-keep-many.md -# - gh-aw-fragments/previous-findings.md +# - gh-aw-fragments/previous-findings-target-repo.md # - gh-aw-fragments/rigor.md # - gh-aw-fragments/runtime-setup.md # - gh-aw-fragments/safe-output-create-issue.md # - gh-aw-fragments/scheduled-audit.md +# - gh-aw-fragments/vault-token.md # # inlined-imports: true # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"66bbbb473d86204ed1ecd6201d3a2640ea5fd714ab9d1360cf361c98aeed47dd"} +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c2891a818d1c4f018bed43f322fe6cf94d09e4e0c1f87718c7685c782a7762a6"} name: "Docs Patrol" "on": @@ -82,14 +83,26 @@ name: "Docs Patrol" description: Shell commands to run before the agent starts (dependency install, build, etc.) required: false type: string + target-repo: + default: "" + description: Optional owner/repo slug to create issues in a remote repository + required: false + type: string title-prefix: default: "[docs-patrol]" description: Title prefix for created issues (e.g. '[docs-patrol]') required: false type: string + token-policy: + default: "" + description: Optional vault token policy used to mint an ephemeral GitHub token + required: false + type: string secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false permissions: {} @@ -218,6 +231,9 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' ## Formatting Guidelines @@ -627,10 +643,11 @@ jobs: name: Ensure full history run: "if git rev-parse --is-shallow-repository | grep -q true; then\n SERVER_URL_STRIPPED=\"${SERVER_URL#https://}\"\n git remote set-url origin \"https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n git fetch --unshallow --quiet\nfi" - env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} + TARGET_REPO: ${{ inputs.target-repo || github.repository }} TITLE_PREFIX: ${{ inputs.title-prefix }} name: List previous findings - run: "set -euo pipefail\ngh issue list \\\n --repo \"$GITHUB_REPOSITORY\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" + run: "set -euo pipefail\ngh issue list \\\n --repo \"$TARGET_REPO\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" - env: SETUP_COMMANDS: ${{ inputs.setup-commands }} if: ${{ inputs.setup-commands != '' }} @@ -655,9 +672,9 @@ jobs: (github.event.pull_request) || (github.event.issue.pull_request) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} with: - github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -733,7 +750,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { - "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \".", + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \". Issues will be created in repository \"${{ inputs.target-repo || '' }}\".", "inputSchema": { "additionalProperties": false, "properties": { @@ -1376,7 +1393,7 @@ jobs: GH_AW_NOOP_MAX: "1" GH_AW_WORKFLOW_NAME: "Docs Patrol" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1389,7 +1406,7 @@ jobs: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_WORKFLOW_NAME: "Docs Patrol" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1409,7 +1426,7 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"${{ inputs.messages-footer || '---\\n[What is this?](https://ela.st/github-ai-tools) | [From workflow: {workflow_name}]({run_url})\\n\\nGive us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.' }}\",\"activationComments\":\"false\"}" GH_AW_GROUP_REPORTS: "false" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1426,7 +1443,7 @@ jobs: GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} GH_AW_NOOP_REPORT_AS_ISSUE: "true" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1494,6 +1511,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Create ephemeral token + id: create-token + if: ${{ inputs.token-policy != '' }} + uses: elastic/oblt-actions/github/create-token@55166bdfaa06a86350bd4516af37ceae1d45b757 # 55166bdfaa06a86350bd4516af37ceae1d45b757 + with: + token-policy: ${{ inputs.token-policy }} - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1502,9 +1525,9 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,*.githubusercontent.com,*.hackage.haskell.org,*.jsr.io,*.pythonhosted.org,*.rvm.io,*.vsblob.vsassets.io,adoptium.net,agents-md-generator.fastmcp.app,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.rubygems.org,api.snapcraft.io,apt.llvm.org,apt.releases.hashicorp.com,archive.apache.org,archive.ubuntu.com,archlinux.org,artifacts.elastic.co,auth.docker.io,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bitbucket.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,builds.hex.pm,bun.sh,bundler.rubygems.org,cache.ruby-lang.org,cdn.azul.com,cdn.cocoapods.org,cdn.hex.pm,cdn.jsdelivr.net,cdn.playwright.dev,cdn.redhat.com,cdn.sheetjs.com,central.sonatype.com,ci.dot.net,clojars.org,cloud.elastic.co,cocoapods.org,code.jquery.com,codeload.github.com,conda.anaconda.org,conda.binstar.org,cpan.metacpan.org,cpan.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.jsdelivr.com,dc.services.visualstudio.com,deb.debian.org,deb.nodesource.com,debian.map.fastlydns.net,deno.land,dist.nuget.org,dl-cdn.alpinelinux.org,dl.bintray.com,dl.fedoraproject.org,dl.google.com,dl.k8s.io,dlcdn.apache.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.fedoraproject.org,download.java.net,download.opensuse.org,download.oracle.com,download.swift.org,downloads.gradle-dn.com,downloads.haskell.org,ela.st,elastic.co,elastic.dev,elastic.github.io,esm.sh,fastly.hex.pm,files.pythonhosted.org,fonts.googleapis.com,fonts.gstatic.com,gcr.io,ge.jetbrains.com,gems.rubyforge.org,gems.rubyonrails.org,get-ghcup.haskell.org,get.pnpm.io,getcomposer.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,gradle.org,haskell.org,hex.pm,host.docker.internal,index.crates.io,index.rubygems.org,jcenter.bintray.com,jdk.java.net,jitpack.io,json-schema.org,json.schemastore.org,jsr.io,keyring.debian.org,keyserver.ubuntu.com,kotlin.bintray.com,lfs.github.com,maven.apache.org,maven.google.com,maven.oracle.com,maven.pkg.github.com,mcr.microsoft.com,metacpan.org,mirror.archlinux.org,mirror.centos.org,mirrors.fedoraproject.org,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.debian.org,packages.jetbrains.team,packages.microsoft.com,packagist.org,pip.pypa.io,pkg.alpinelinux.org,pkg.go.dev,pkg.machengine.org,pkgs.dev.azure.com,pkgs.k8s.io,playwright.download.prss.microsoft.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,production.cloudflare.docker.com,productionresultssa0.blob.core.windows.net,productionresultssa1.blob.core.windows.net,productionresultssa10.blob.core.windows.net,productionresultssa11.blob.core.windows.net,productionresultssa12.blob.core.windows.net,productionresultssa13.blob.core.windows.net,productionresultssa14.blob.core.windows.net,productionresultssa15.blob.core.windows.net,productionresultssa16.blob.core.windows.net,productionresultssa17.blob.core.windows.net,productionresultssa18.blob.core.windows.net,productionresultssa19.blob.core.windows.net,productionresultssa2.blob.core.windows.net,productionresultssa3.blob.core.windows.net,productionresultssa4.blob.core.windows.net,productionresultssa5.blob.core.windows.net,productionresultssa6.blob.core.windows.net,productionresultssa7.blob.core.windows.net,productionresultssa8.blob.core.windows.net,productionresultssa9.blob.core.windows.net,proxy.golang.org,pub.dartlang.org,pub.dev,public-code-search.fastmcp.app,pypi.org,pypi.python.org,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.terraform.io,registry.yarnpkg.com,releases.hashicorp.com,repo.anaconda.com,repo.clojars.org,repo.continuum.io,repo.gradle.org,repo.grails.org,repo.hex.pm,repo.maven.apache.org,repo.packagist.org,repo.scala-sbt.org,repo.spring.io,repo.typesafe.com,repo.yarnpkg.com,repo1.maven.org,rubygems.org,rubygems.pkg.github.com,s.symcb.com,s.symcd.com,scala-ci.typesafe.com,security.debian.org,security.ubuntu.com,services.gradle.org,sh.rustup.rs,skimdb.npmjs.com,static.crates.io,static.rust-lang.org,storage.googleapis.com,sum.golang.org,swift.org,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,vault.centos.org,www.cpan.org,www.elastic.co,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com,yum.releases.hashicorp.com,ziglang.org" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":false,\"expires\":168,\"max\":1,\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":false,\"expires\":168,\"max\":1,\"target-repo\":\"${{ inputs.target-repo || '' }}\",\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); diff --git a/.github/workflows/gh-aw-docs-patrol.md b/.github/workflows/gh-aw-docs-patrol.md index 755da3a3..672c9de4 100644 --- a/.github/workflows/gh-aw-docs-patrol.md +++ b/.github/workflows/gh-aw-docs-patrol.md @@ -5,13 +5,14 @@ description: "Detect code changes that require documentation updates and file is imports: - gh-aw-fragments/elastic-tools.md - gh-aw-fragments/runtime-setup.md + - gh-aw-fragments/vault-token.md - gh-aw-fragments/ensure-full-history.md - gh-aw-fragments/formatting.md - gh-aw-fragments/rigor.md - gh-aw-fragments/mcp-pagination.md - gh-aw-fragments/messages-footer.md - gh-aw-fragments/safe-output-create-issue.md - - gh-aw-fragments/previous-findings.md + - gh-aw-fragments/previous-findings-target-repo.md - gh-aw-fragments/pick-three-keep-many.md - gh-aw-fragments/scheduled-audit.md - gh-aw-fragments/network-ecosystems.md @@ -56,9 +57,21 @@ on: type: string required: false default: "[docs-patrol]" + target-repo: + description: "Optional owner/repo slug to create issues in a remote repository" + type: string + required: false + default: "" + token-policy: + description: "Optional vault token policy used to mint an ephemeral GitHub token" + type: string + required: false + default: "" secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false roles: [admin, maintainer, write] bots: - "${{ inputs.allowed-bot-users }}" @@ -80,6 +93,7 @@ safe-outputs: noop: create-issue: max: 1 + target-repo: "${{ inputs.target-repo || '' }}" title-prefix: "${{ inputs.title-prefix }} " close-older-issues: false expires: 7d diff --git a/.github/workflows/gh-aw-fragments/previous-findings-target-repo.md b/.github/workflows/gh-aw-fragments/previous-findings-target-repo.md new file mode 100644 index 00000000..b3222b3f --- /dev/null +++ b/.github/workflows/gh-aw-fragments/previous-findings-target-repo.md @@ -0,0 +1,25 @@ +--- +steps: + - name: List previous findings + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} + TITLE_PREFIX: ${{ inputs.title-prefix }} + TARGET_REPO: ${{ inputs.target-repo || github.repository }} + run: | + set -euo pipefail + gh issue list \ + --repo "$TARGET_REPO" \ + --search "in:title \"$TITLE_PREFIX\"" \ + --state all \ + --limit 100 \ + --json number,title,state \ + > /tmp/previous-findings.json || { echo "::warning::Failed to fetch previous findings — dedup will be skipped"; echo "[]" > /tmp/previous-findings.json; } +--- + +## Previous Findings + +Before filing a new issue, check `/tmp/previous-findings.json` for issues this agent has already filed. + +- Run `cat /tmp/previous-findings.json` to read the list of previously filed issue numbers and titles. +- If your finding closely matches an open or recently-closed issue in that list, call `noop` instead of filing a duplicate. +- Only file a new issue when the finding is genuinely distinct from all previous findings. diff --git a/.github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.md b/.github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.md index 32f44a99..c8470e5e 100644 --- a/.github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.md +++ b/.github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.md @@ -2,6 +2,7 @@ safe-outputs: create-issue: max: 1 + target-repo: "${{ inputs.target-repo || '' }}" title-prefix: "${{ inputs.title-prefix }} " close-older-issues: ${{ inputs.close-older-issues }} expires: 7d diff --git a/.github/workflows/gh-aw-fragments/vault-token.md b/.github/workflows/gh-aw-fragments/vault-token.md new file mode 100644 index 00000000..8408509e --- /dev/null +++ b/.github/workflows/gh-aw-fragments/vault-token.md @@ -0,0 +1,12 @@ +--- +safe-outputs: + id-token: write + steps: + - name: Create ephemeral token + if: ${{ inputs.token-policy != '' }} + id: create-token + uses: elastic/oblt-actions/github/create-token@55166bdfaa06a86350bd4516af37ceae1d45b757 # v1 + with: + token-policy: ${{ inputs.token-policy }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} +--- diff --git a/.github/workflows/gh-aw-scheduled-audit.lock.yml b/.github/workflows/gh-aw-scheduled-audit.lock.yml index 1501c3f5..0704b06e 100644 --- a/.github/workflows/gh-aw-scheduled-audit.lock.yml +++ b/.github/workflows/gh-aw-scheduled-audit.lock.yml @@ -34,10 +34,11 @@ # - gh-aw-fragments/runtime-setup.md # - gh-aw-fragments/safe-output-scheduled-audit-issue.md # - gh-aw-fragments/scheduled-audit.md +# - gh-aw-fragments/vault-token.md # # inlined-imports: true # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"94cf40207057a60016559ed389bebb6a2b93d7f246dc5726a00481a8100f2cb8"} +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"8ec9093cf92dab95763fc66fe49106ff016e32831d3786823c13f68ea5e9bc5f"} name: "Scheduled Audit" "on": @@ -83,13 +84,25 @@ name: "Scheduled Audit" description: Shell commands to run before the agent starts (dependency install, build, etc.) required: false type: string + target-repo: + default: "" + description: Optional owner/repo slug to create issues in a remote repository + required: false + type: string title-prefix: description: Title prefix for created issues, e.g. '[my-audit]' required: true type: string + token-policy: + default: "" + description: Optional vault token policy used to mint an ephemeral GitHub token + required: false + type: string secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false permissions: {} @@ -229,6 +242,9 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' ## Formatting Guidelines @@ -541,11 +557,12 @@ jobs: echo "$install_dir" >> "$GITHUB_PATH" shell: bash - env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} + TARGET_REPO: ${{ inputs.target-repo || github.repository }} TITLE_PREFIX: ${{ inputs.title-prefix }} if: ${{ !inputs.close-older-issues }} name: List previous findings - run: "set -euo pipefail\ngh issue list \\\n --repo \"$GITHUB_REPOSITORY\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }\n" + run: "set -euo pipefail\ngh issue list \\\n --repo \"$TARGET_REPO\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }\n" - env: SETUP_COMMANDS: ${{ inputs.setup-commands }} if: ${{ inputs.setup-commands != '' }} @@ -570,9 +587,9 @@ jobs: (github.event.pull_request) || (github.event.issue.pull_request) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} with: - github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -648,7 +665,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { - "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \".", + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \". Issues will be created in repository \"${{ inputs.target-repo || '' }}\".", "inputSchema": { "additionalProperties": false, "properties": { @@ -1291,7 +1308,7 @@ jobs: GH_AW_NOOP_MAX: "1" GH_AW_WORKFLOW_NAME: "Scheduled Audit" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1304,7 +1321,7 @@ jobs: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_WORKFLOW_NAME: "Scheduled Audit" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1324,7 +1341,7 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"${{ inputs.messages-footer || '---\\n[What is this?](https://ela.st/github-ai-tools) | [From workflow: {workflow_name}]({run_url})\\n\\nGive us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.' }}\",\"activationComments\":\"false\"}" GH_AW_GROUP_REPORTS: "false" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1341,7 +1358,7 @@ jobs: GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} GH_AW_NOOP_REPORT_AS_ISSUE: "true" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1409,6 +1426,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Create ephemeral token + id: create-token + if: ${{ inputs.token-policy != '' }} + uses: elastic/oblt-actions/github/create-token@55166bdfaa06a86350bd4516af37ceae1d45b757 # 55166bdfaa06a86350bd4516af37ceae1d45b757 + with: + token-policy: ${{ inputs.token-policy }} - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1417,9 +1440,9 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,*.githubusercontent.com,*.hackage.haskell.org,*.jsr.io,*.pythonhosted.org,*.rvm.io,*.vsblob.vsassets.io,adoptium.net,agents-md-generator.fastmcp.app,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.rubygems.org,api.snapcraft.io,apt.llvm.org,apt.releases.hashicorp.com,archive.apache.org,archive.ubuntu.com,archlinux.org,artifacts.elastic.co,auth.docker.io,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bitbucket.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,builds.hex.pm,bun.sh,bundler.rubygems.org,cache.ruby-lang.org,cdn.azul.com,cdn.cocoapods.org,cdn.hex.pm,cdn.jsdelivr.net,cdn.playwright.dev,cdn.redhat.com,cdn.sheetjs.com,central.sonatype.com,ci.dot.net,clojars.org,cloud.elastic.co,cocoapods.org,code.jquery.com,codeload.github.com,conda.anaconda.org,conda.binstar.org,cpan.metacpan.org,cpan.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.jsdelivr.com,dc.services.visualstudio.com,deb.debian.org,deb.nodesource.com,debian.map.fastlydns.net,deno.land,dist.nuget.org,dl-cdn.alpinelinux.org,dl.bintray.com,dl.fedoraproject.org,dl.google.com,dl.k8s.io,dlcdn.apache.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.fedoraproject.org,download.java.net,download.opensuse.org,download.oracle.com,download.swift.org,downloads.gradle-dn.com,downloads.haskell.org,ela.st,elastic.co,elastic.dev,elastic.github.io,esm.sh,fastly.hex.pm,files.pythonhosted.org,fonts.googleapis.com,fonts.gstatic.com,gcr.io,ge.jetbrains.com,gems.rubyforge.org,gems.rubyonrails.org,get-ghcup.haskell.org,get.pnpm.io,getcomposer.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,gradle.org,haskell.org,hex.pm,host.docker.internal,index.crates.io,index.rubygems.org,jcenter.bintray.com,jdk.java.net,jitpack.io,json-schema.org,json.schemastore.org,jsr.io,keyring.debian.org,keyserver.ubuntu.com,kotlin.bintray.com,lfs.github.com,maven.apache.org,maven.google.com,maven.oracle.com,maven.pkg.github.com,mcr.microsoft.com,metacpan.org,mirror.archlinux.org,mirror.centos.org,mirrors.fedoraproject.org,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.debian.org,packages.jetbrains.team,packages.microsoft.com,packagist.org,pip.pypa.io,pkg.alpinelinux.org,pkg.go.dev,pkg.machengine.org,pkgs.dev.azure.com,pkgs.k8s.io,playwright.download.prss.microsoft.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,production.cloudflare.docker.com,productionresultssa0.blob.core.windows.net,productionresultssa1.blob.core.windows.net,productionresultssa10.blob.core.windows.net,productionresultssa11.blob.core.windows.net,productionresultssa12.blob.core.windows.net,productionresultssa13.blob.core.windows.net,productionresultssa14.blob.core.windows.net,productionresultssa15.blob.core.windows.net,productionresultssa16.blob.core.windows.net,productionresultssa17.blob.core.windows.net,productionresultssa18.blob.core.windows.net,productionresultssa19.blob.core.windows.net,productionresultssa2.blob.core.windows.net,productionresultssa3.blob.core.windows.net,productionresultssa4.blob.core.windows.net,productionresultssa5.blob.core.windows.net,productionresultssa6.blob.core.windows.net,productionresultssa7.blob.core.windows.net,productionresultssa8.blob.core.windows.net,productionresultssa9.blob.core.windows.net,proxy.golang.org,pub.dartlang.org,pub.dev,public-code-search.fastmcp.app,pypi.org,pypi.python.org,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.terraform.io,registry.yarnpkg.com,releases.hashicorp.com,repo.anaconda.com,repo.clojars.org,repo.continuum.io,repo.gradle.org,repo.grails.org,repo.hex.pm,repo.maven.apache.org,repo.packagist.org,repo.scala-sbt.org,repo.spring.io,repo.typesafe.com,repo.yarnpkg.com,repo1.maven.org,rubygems.org,rubygems.pkg.github.com,s.symcb.com,s.symcd.com,scala-ci.typesafe.com,security.debian.org,security.ubuntu.com,services.gradle.org,sh.rustup.rs,skimdb.npmjs.com,static.crates.io,static.rust-lang.org,storage.googleapis.com,sum.golang.org,swift.org,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,vault.centos.org,www.cpan.org,www.elastic.co,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com,yum.releases.hashicorp.com,ziglang.org" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":\"${{ inputs.close-older-issues }}\",\"expires\":168,\"max\":1,\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":\"${{ inputs.close-older-issues }}\",\"expires\":168,\"max\":1,\"target-repo\":\"${{ inputs.target-repo || '' }}\",\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); diff --git a/.github/workflows/gh-aw-scheduled-audit.md b/.github/workflows/gh-aw-scheduled-audit.md index e2f511dc..d61a6dc0 100644 --- a/.github/workflows/gh-aw-scheduled-audit.md +++ b/.github/workflows/gh-aw-scheduled-audit.md @@ -5,6 +5,7 @@ description: "Generic scheduled audit — investigate the repository and file an imports: - gh-aw-fragments/elastic-tools.md - gh-aw-fragments/runtime-setup.md + - gh-aw-fragments/vault-token.md - gh-aw-fragments/formatting.md - gh-aw-fragments/rigor.md - gh-aw-fragments/mcp-pagination.md @@ -31,11 +32,21 @@ on: description: "Title prefix for created issues, e.g. '[my-audit]'" type: string required: true + target-repo: + description: "Optional owner/repo slug to create issues in a remote repository" + type: string + required: false + default: "" issue-label: description: "Label to apply to created issues (must already exist in the target repo)" type: string required: false default: "" + token-policy: + description: "Optional vault token policy used to mint an ephemeral GitHub token" + type: string + required: false + default: "" setup-commands: description: "Shell commands to run before the agent starts (dependency install, build, etc.)" type: string @@ -59,6 +70,8 @@ on: secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false roles: [admin, maintainer, write] bots: - "${{ inputs.allowed-bot-users }}" @@ -84,12 +97,13 @@ steps: - name: List previous findings if: ${{ !inputs.close-older-issues }} env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} TITLE_PREFIX: ${{ inputs.title-prefix }} + TARGET_REPO: ${{ inputs.target-repo || github.repository }} run: | set -euo pipefail gh issue list \ - --repo "$GITHUB_REPOSITORY" \ + --repo "$TARGET_REPO" \ --search "in:title \"$TITLE_PREFIX\"" \ --state all \ --limit 100 \ diff --git a/.github/workflows/gh-aw-text-auditor.lock.yml b/.github/workflows/gh-aw-text-auditor.lock.yml index d49fa427..cf067269 100644 --- a/.github/workflows/gh-aw-text-auditor.lock.yml +++ b/.github/workflows/gh-aw-text-auditor.lock.yml @@ -31,15 +31,16 @@ # - gh-aw-fragments/messages-footer.md # - gh-aw-fragments/network-ecosystems.md # - gh-aw-fragments/pick-three-keep-many.md -# - gh-aw-fragments/previous-findings.md +# - gh-aw-fragments/previous-findings-target-repo.md # - gh-aw-fragments/rigor.md # - gh-aw-fragments/runtime-setup.md # - gh-aw-fragments/safe-output-create-issue.md # - gh-aw-fragments/scheduled-audit.md +# - gh-aw-fragments/vault-token.md # # inlined-imports: true # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"d93d636ba529f70b8fb4893143d11651d56e57cdbd82a51e605412a283bee5f3"} +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"8b9304400ba9f126d565273073fdb52a001a92a16b76dc00b3a17cf3a73673ec"} name: "Text Auditor" "on": @@ -101,14 +102,26 @@ name: "Text Auditor" description: Shell commands to run before the agent starts (dependency install, build, etc.) required: false type: string + target-repo: + default: "" + description: Optional owner/repo slug to create issues in a remote repository + required: false + type: string title-prefix: default: "[text-auditor]" description: Title prefix for created issues (e.g. '[text-auditor]') required: false type: string + token-policy: + default: "" + description: Optional vault token policy used to mint an ephemeral GitHub token + required: false + type: string secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false permissions: {} @@ -239,6 +252,9 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' + GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' ## Formatting Guidelines @@ -697,10 +713,11 @@ jobs: echo "$install_dir" >> "$GITHUB_PATH" shell: bash - env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} + TARGET_REPO: ${{ inputs.target-repo || github.repository }} TITLE_PREFIX: ${{ inputs.title-prefix }} name: List previous findings - run: "set -euo pipefail\ngh issue list \\\n --repo \"$GITHUB_REPOSITORY\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" + run: "set -euo pipefail\ngh issue list \\\n --repo \"$TARGET_REPO\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" - env: SETUP_COMMANDS: ${{ inputs.setup-commands }} if: ${{ inputs.setup-commands != '' }} @@ -725,9 +742,9 @@ jobs: (github.event.pull_request) || (github.event.issue.pull_request) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} with: - github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -803,7 +820,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { - "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \".", + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"${{ inputs.title-prefix }} \". Issues will be created in repository \"${{ inputs.target-repo || '' }}\".", "inputSchema": { "additionalProperties": false, "properties": { @@ -1446,7 +1463,7 @@ jobs: GH_AW_NOOP_MAX: "1" GH_AW_WORKFLOW_NAME: "Text Auditor" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1459,7 +1476,7 @@ jobs: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_WORKFLOW_NAME: "Text Auditor" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1479,7 +1496,7 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"${{ inputs.messages-footer || '---\\n[What is this?](https://ela.st/github-ai-tools) | [From workflow: {workflow_name}]({run_url})\\n\\nGive us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.' }}\",\"activationComments\":\"false\"}" GH_AW_GROUP_REPORTS: "false" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1496,7 +1513,7 @@ jobs: GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} GH_AW_NOOP_REPORT_AS_ISSUE: "true" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1564,6 +1581,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Create ephemeral token + id: create-token + if: ${{ inputs.token-policy != '' }} + uses: elastic/oblt-actions/github/create-token@55166bdfaa06a86350bd4516af37ceae1d45b757 # 55166bdfaa06a86350bd4516af37ceae1d45b757 + with: + token-policy: ${{ inputs.token-policy }} - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1572,9 +1595,9 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,*.githubusercontent.com,*.hackage.haskell.org,*.jsr.io,*.pythonhosted.org,*.rvm.io,*.vsblob.vsassets.io,adoptium.net,agents-md-generator.fastmcp.app,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.rubygems.org,api.snapcraft.io,apt.llvm.org,apt.releases.hashicorp.com,archive.apache.org,archive.ubuntu.com,archlinux.org,artifacts.elastic.co,auth.docker.io,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bitbucket.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,builds.hex.pm,bun.sh,bundler.rubygems.org,cache.ruby-lang.org,cdn.azul.com,cdn.cocoapods.org,cdn.hex.pm,cdn.jsdelivr.net,cdn.playwright.dev,cdn.redhat.com,cdn.sheetjs.com,central.sonatype.com,ci.dot.net,clojars.org,cloud.elastic.co,cocoapods.org,code.jquery.com,codeload.github.com,conda.anaconda.org,conda.binstar.org,cpan.metacpan.org,cpan.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.jsdelivr.com,dc.services.visualstudio.com,deb.debian.org,deb.nodesource.com,debian.map.fastlydns.net,deno.land,dist.nuget.org,dl-cdn.alpinelinux.org,dl.bintray.com,dl.fedoraproject.org,dl.google.com,dl.k8s.io,dlcdn.apache.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.fedoraproject.org,download.java.net,download.opensuse.org,download.oracle.com,download.swift.org,downloads.gradle-dn.com,downloads.haskell.org,ela.st,elastic.co,elastic.dev,elastic.github.io,esm.sh,fastly.hex.pm,files.pythonhosted.org,fonts.googleapis.com,fonts.gstatic.com,gcr.io,ge.jetbrains.com,gems.rubyforge.org,gems.rubyonrails.org,get-ghcup.haskell.org,get.pnpm.io,getcomposer.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,gradle.org,haskell.org,hex.pm,host.docker.internal,index.crates.io,index.rubygems.org,jcenter.bintray.com,jdk.java.net,jitpack.io,json-schema.org,json.schemastore.org,jsr.io,keyring.debian.org,keyserver.ubuntu.com,kotlin.bintray.com,lfs.github.com,maven.apache.org,maven.google.com,maven.oracle.com,maven.pkg.github.com,mcr.microsoft.com,metacpan.org,mirror.archlinux.org,mirror.centos.org,mirrors.fedoraproject.org,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.debian.org,packages.jetbrains.team,packages.microsoft.com,packagist.org,pip.pypa.io,pkg.alpinelinux.org,pkg.go.dev,pkg.machengine.org,pkgs.dev.azure.com,pkgs.k8s.io,playwright.download.prss.microsoft.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,production.cloudflare.docker.com,productionresultssa0.blob.core.windows.net,productionresultssa1.blob.core.windows.net,productionresultssa10.blob.core.windows.net,productionresultssa11.blob.core.windows.net,productionresultssa12.blob.core.windows.net,productionresultssa13.blob.core.windows.net,productionresultssa14.blob.core.windows.net,productionresultssa15.blob.core.windows.net,productionresultssa16.blob.core.windows.net,productionresultssa17.blob.core.windows.net,productionresultssa18.blob.core.windows.net,productionresultssa19.blob.core.windows.net,productionresultssa2.blob.core.windows.net,productionresultssa3.blob.core.windows.net,productionresultssa4.blob.core.windows.net,productionresultssa5.blob.core.windows.net,productionresultssa6.blob.core.windows.net,productionresultssa7.blob.core.windows.net,productionresultssa8.blob.core.windows.net,productionresultssa9.blob.core.windows.net,proxy.golang.org,pub.dartlang.org,pub.dev,public-code-search.fastmcp.app,pypi.org,pypi.python.org,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.terraform.io,registry.yarnpkg.com,releases.hashicorp.com,repo.anaconda.com,repo.clojars.org,repo.continuum.io,repo.gradle.org,repo.grails.org,repo.hex.pm,repo.maven.apache.org,repo.packagist.org,repo.scala-sbt.org,repo.spring.io,repo.typesafe.com,repo.yarnpkg.com,repo1.maven.org,rubygems.org,rubygems.pkg.github.com,s.symcb.com,s.symcd.com,scala-ci.typesafe.com,security.debian.org,security.ubuntu.com,services.gradle.org,sh.rustup.rs,skimdb.npmjs.com,static.crates.io,static.rust-lang.org,storage.googleapis.com,sum.golang.org,swift.org,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,vault.centos.org,www.cpan.org,www.elastic.co,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com,yum.releases.hashicorp.com,ziglang.org" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":false,\"expires\":168,\"max\":1,\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":false,\"expires\":168,\"max\":1,\"target-repo\":\"${{ inputs.target-repo || '' }}\",\"title_prefix\":\"${{ inputs.title-prefix }} \"},\"missing_data\":{},\"missing_tool\":{}}" with: - github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); diff --git a/.github/workflows/gh-aw-text-auditor.md b/.github/workflows/gh-aw-text-auditor.md index 204b6f9b..c9d01b8c 100644 --- a/.github/workflows/gh-aw-text-auditor.md +++ b/.github/workflows/gh-aw-text-auditor.md @@ -5,12 +5,13 @@ description: "Find typos, unclear error messages, and awkward user-facing text, imports: - gh-aw-fragments/elastic-tools.md - gh-aw-fragments/runtime-setup.md + - gh-aw-fragments/vault-token.md - gh-aw-fragments/formatting.md - gh-aw-fragments/rigor.md - gh-aw-fragments/mcp-pagination.md - gh-aw-fragments/messages-footer.md - gh-aw-fragments/safe-output-create-issue.md - - gh-aw-fragments/previous-findings.md + - gh-aw-fragments/previous-findings-target-repo.md - gh-aw-fragments/pick-three-keep-many.md - gh-aw-fragments/scheduled-audit.md - gh-aw-fragments/network-ecosystems.md @@ -75,9 +76,21 @@ on: type: string required: false default: "[text-auditor]" + target-repo: + description: "Optional owner/repo slug to create issues in a remote repository" + type: string + required: false + default: "" + token-policy: + description: "Optional vault token policy used to mint an ephemeral GitHub token" + type: string + required: false + default: "" secrets: COPILOT_GITHUB_TOKEN: required: true + GITHUB_TOKEN: + required: false roles: [admin, maintainer, write] bots: - "${{ inputs.allowed-bot-users }}" @@ -99,6 +112,7 @@ safe-outputs: noop: create-issue: max: 1 + target-repo: "${{ inputs.target-repo || '' }}" title-prefix: "${{ inputs.title-prefix }} " close-older-issues: false expires: 7d