You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
tools.playwright: MCP mode is deprecated. Migrate to CLI mode by adding 'mode: cli' ... Auto-derivation may become an error in a future release.
The only Playwright codemod today is codemod_playwright_domains.go (allowed_domains → network.allowed). There is no codemod that migrates the deprecated MCP execution mode to mode: cli, so gh aw fix leaves every affected workflow on the deprecated path.
Proposed codemod (playwright-mcp-mode-to-cli): when tools.playwright is present without mode: cli, insert mode: cli. Optionally flag prompt bodies that call MCP browser tools so authors can switch to playwright-cli <command> in bash.
2. safe-inputs in imported/shared fragments is silently dropped (3 repos)
compile emits:
Ignoring unexpected frontmatter fields in .../shared/go-make.md: safe-inputs
The safe-inputs-to-mcp-scripts codemod exists, is registered, and is listed by gh aw fix --list-codemods — but running gh aw fix --write reports ✓ No fixes needed and leaves the field in place. Root cause: fix only rewrites the top-level workflow .md files; it does not descend into files pulled in via imports: (e.g. shared/*.md, gh-aw-fragments/*.md), which is exactly where these repos declare safe-inputs. At compile time the field is then silently ignored (dropped), so the intended MCP-scripts configuration is lost with no error.
Affected (3):elastic/ai-github-actions (16 fragment files), github/gh-aw-firewall (3), github/gh-aw-mcpg (3).
Reproduction
git clone --depth 1 https://github.com/elastic/ai-github-actions
cd ai-github-actions
gh aw fix --write # -> "No fixes needed"
grep -l '^safe-inputs:' .github/workflows/gh-aw-fragments/*.md # still present
gh aw compile # -> "Ignoring unexpected frontmatter fields ... : safe-inputs"
Proposed fix (two parts):
Make gh aw fix resolve and rewrite fragment files referenced via imports: (so fragment-scoped codemods like safe-inputs-to-mcp-scripts actually apply), or apply frontmatter codemods to the merged/expanded config and write results back to their source files.
Make compile surface dropped-field cases more loudly for known-renamed keys (e.g. suggest the codemod, or error under --strict) instead of an easy-to-miss "Ignoring unexpected frontmatter fields" line — silent config loss is the real hazard here.
Below-threshold observations (single repo — not proposing codemods)
restore-memory: got object, want boolean — githubnext/gh-aw-test (1). Schema type change; no migration codemod.
add-pr-comment unknown property — ms-mfg-community/day-in-the-life-copilot-lab (1). Never a valid key; compiler already suggests add-comment. Pure user typo, not a codemod target.
Method note
Discovery ran under a repo-scoped Actions token (no cross-GitHub code search), so the candidate pool came from gh search repos + contents-API lock-file verification. Counts above are lower bounds on real-world prevalence.
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
models.dev
To allow these domains, add them to the network.allowed list in your workflow frontmatter:
Two cross-repo codemod/coverage gaps found in the daily compatibility audit (gh-aw b141a48)
Both reproduce across ≥2 public repos in the top-20-by-stars set. Neither is fixed by
gh aw fix --writetoday.1. Playwright MCP mode → CLI mode: no migrating codemod (4 repos)
compileemits, per Playwright tool:The only Playwright codemod today is
codemod_playwright_domains.go(allowed_domains→network.allowed). There is no codemod that migrates the deprecated MCP execution mode tomode: cli, sogh aw fixleaves every affected workflow on the deprecated path.Affected (4):
elastic/ai-github-actions,github/gh-aw-mcpg,github/gh-aw-firewall,pelikhan/github-agentic-workflows.Proposed codemod (
playwright-mcp-mode-to-cli): whentools.playwrightis present withoutmode: cli, insertmode: cli. Optionally flag prompt bodies that call MCP browser tools so authors can switch toplaywright-cli <command>in bash.2.
safe-inputsin imported/sharedfragments is silently dropped (3 repos)compileemits:The
safe-inputs-to-mcp-scriptscodemod exists, is registered, and is listed bygh aw fix --list-codemods— but runninggh aw fix --writereports✓ No fixes neededand leaves the field in place. Root cause:fixonly rewrites the top-level workflow.mdfiles; it does not descend into files pulled in viaimports:(e.g.shared/*.md,gh-aw-fragments/*.md), which is exactly where these repos declaresafe-inputs. At compile time the field is then silently ignored (dropped), so the intended MCP-scripts configuration is lost with no error.Affected (3):
elastic/ai-github-actions(16 fragment files),github/gh-aw-firewall(3),github/gh-aw-mcpg(3).Reproduction
Proposed fix (two parts):
gh aw fixresolve and rewrite fragment files referenced viaimports:(so fragment-scoped codemods likesafe-inputs-to-mcp-scriptsactually apply), or apply frontmatter codemods to the merged/expanded config and write results back to their source files.compilesurface dropped-field cases more loudly for known-renamed keys (e.g. suggest the codemod, or error under--strict) instead of an easy-to-miss "Ignoring unexpected frontmatter fields" line — silent config loss is the real hazard here.Below-threshold observations (single repo — not proposing codemods)
restore-memory: got object, want boolean—githubnext/gh-aw-test(1). Schema type change; no migration codemod.add-pr-commentunknown property —ms-mfg-community/day-in-the-life-copilot-lab(1). Never a valid key; compiler already suggestsadd-comment. Pure user typo, not a codemod target.Method note
Discovery ran under a repo-scoped Actions token (no cross-GitHub code search), so the candidate pool came from
gh search repos+ contents-API lock-file verification. Counts above are lower bounds on real-world prevalence.Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
models.devSee Network Configuration for more information.