diff --git a/.changeset/patch-setup-gh-aw-install-idempotency.md b/.changeset/patch-setup-gh-aw-install-idempotency.md new file mode 100644 index 00000000000..44697e623fc --- /dev/null +++ b/.changeset/patch-setup-gh-aw-install-idempotency.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Make `setup-gh-aw` idempotent when `gh-aw` is already installed, so existing `gh aw` commands are reused instead of failing on extension conflicts. diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index a46769d7418..09d39c5eeed 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -518,18 +518,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index f967d93cb01..8230842145d 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -518,18 +518,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index dcb844f5d12..0334544e6a3 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -555,18 +555,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index bdf9f980a7b..37ba933e871 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -575,18 +575,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index d555ab0db93..faae1654ea9 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -513,18 +513,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 8fa4ded22d4..dcfbbea516c 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -676,18 +676,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml index 00dcf6107ed..1576f493a52 100644 --- a/.github/workflows/copilot-token-audit.lock.yml +++ b/.github/workflows/copilot-token-audit.lock.yml @@ -446,7 +446,7 @@ jobs: BINARY=dist/gh-aw-linux-amd64 - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version @@ -543,18 +543,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/copilot-token-optimizer.lock.yml b/.github/workflows/copilot-token-optimizer.lock.yml index d1cfd65a613..b2bd4cf2157 100644 --- a/.github/workflows/copilot-token-optimizer.lock.yml +++ b/.github/workflows/copilot-token-optimizer.lock.yml @@ -415,7 +415,7 @@ jobs: persist-credentials: false - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index 0533ae540e8..f4b19b64493 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -530,18 +530,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml index 63079db28c3..37b096a76b3 100644 --- a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml +++ b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml @@ -495,18 +495,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index f98b315ff5f..b62d9e78155 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -533,18 +533,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" @@ -1465,18 +1463,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_d72f2e6a4448437a_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_845ec5ddedb0d907_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_d72f2e6a4448437a_EOF + GH_AW_MCP_CONFIG_845ec5ddedb0d907_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_730fc89480c5d282_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_447bebc93aa2b1a0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1487,11 +1485,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_730fc89480c5d282_EOF + GH_AW_MCP_CONFIG_447bebc93aa2b1a0_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_865f7e42d33f7113_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_44098e6cd11f946e_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1501,7 +1499,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_865f7e42d33f7113_EOF + GH_AW_CODEX_SHELL_POLICY_44098e6cd11f946e_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 5307cdebe57..064ef9e1254 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -497,18 +497,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index eba1076073a..6ab40db2d31 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -545,18 +545,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 380b76a2dc5..283353163c4 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -505,18 +505,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" @@ -1386,18 +1384,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_8a512fcb3f800e43_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_41cb57481d6ac09e_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_8a512fcb3f800e43_EOF + GH_AW_MCP_CONFIG_41cb57481d6ac09e_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_bbebc01e8517f794_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_24d55f0646f3099f_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1408,11 +1406,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_bbebc01e8517f794_EOF + GH_AW_MCP_CONFIG_24d55f0646f3099f_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_241bcc0f4f4c6404_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_9f82049d79241df0_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1422,7 +1420,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_241bcc0f4f4c6404_EOF + GH_AW_CODEX_SHELL_POLICY_9f82049d79241df0_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 85d43746715..e66e87577df 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -540,18 +540,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index cc8d63440c5..67c1c682d93 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -543,18 +543,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index 12d9f83c50f..d9072abea15 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -582,18 +582,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-subagent-optimizer.lock.yml b/.github/workflows/daily-subagent-optimizer.lock.yml index 4cd1276628d..0e03338ae7d 100644 --- a/.github/workflows/daily-subagent-optimizer.lock.yml +++ b/.github/workflows/daily-subagent-optimizer.lock.yml @@ -528,18 +528,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 4169c89b0a2..3d998dbd6f0 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -809,18 +809,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 4f80fa205c3..f806345a8e4 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -525,18 +525,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 6bc5beb107f..993496f63c8 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -218,7 +218,7 @@ jobs: cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_8dcabe35d6785795_EOF' - Tools: create_issue, missing_tool, missing_data, noop + Tools: create_issue(max:3), missing_tool, missing_data, noop GH_AW_PROMPT_8dcabe35d6785795_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" @@ -510,14 +510,14 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_eef6781d680527d3_EOF' - {"create_issue":{"assignees":["copilot"],"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} + {"create_issue":{"assignees":["copilot"],"expires":48,"group":true,"labels":["code-quality","automated-analysis","cookie"],"max":3,"title_prefix":"[duplicate-code] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} GH_AW_SAFE_OUTPUTS_CONFIG_eef6781d680527d3_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | { "description_suffixes": { - "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned." + "create_issue": " CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[duplicate-code] \". Labels [\"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added. Assignees [\"copilot\"] will be automatically assigned." }, "repo_params": {}, "dynamic_tools": [] @@ -1384,18 +1384,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_f88cb462a26159af_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_6fa573e98e0f7b23_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_f88cb462a26159af_EOF + GH_AW_MCP_CONFIG_6fa573e98e0f7b23_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_bf50992278c59621_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_c0234d9356ee6886_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1406,11 +1406,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_bf50992278c59621_EOF + GH_AW_MCP_CONFIG_c0234d9356ee6886_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_5ec8074adfe7d7fa_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_ba49ebc278636ac8_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1420,7 +1420,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_5ec8074adfe7d7fa_EOF + GH_AW_CODEX_SHELL_POLICY_ba49ebc278636ac8_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } @@ -1590,7 +1590,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.grafana.net,*.sentry.io,172.30.0.1,api.github.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,chatgpt.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"copilot\"],\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"copilot\"],\"expires\":48,\"group\":true,\"labels\":[\"code-quality\",\"automated-analysis\",\"cookie\"],\"max\":3,\"title_prefix\":\"[duplicate-code] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" GH_AW_ASSIGN_COPILOT: "true" GH_AW_ASSIGN_TO_AGENT_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index ca9b78bc12a..22b28f65a21 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -500,18 +500,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index bf93fbc32c5..44651018a75 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -619,18 +619,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" docker.io/mcp/brave-search@sha256:ca96b8acb27d8cf601a8faef86a084602cffa41d8cb18caa1e29ba4d16989d22 ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 mcp/arxiv-mcp-server@sha256:6dc6bba6dfed97f4ad6eb8d23a5c98ef5b7fa6184937d54b2d675801cd9dd29e mcp/ast-grep:latest@sha256:5fc3f2e9dcf2c019e92662f608b8d89e12134ed6d91e6f5461de6efd506a1e72 mcp/context7@sha256:1174e6a29634a83b2be93ac1fefabf63265f498c02c72201fe3464e687dd8836 mcp/markitdown@sha256:1cef3bf502503310ed0884441874ccf6cdaac20136dc1179797fa048269dc4cb mcp/memory@sha256:db0c2db07a44b6797eba7a832b1bda142ffc899588aae82c92780cbb2252407f mcp/notion@sha256:4de8eb0de33402fcbd3740b4f4039918e4893155c7ea833c7a0c472001b88367 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f python:alpine@sha256:6f873e340e6786787a632c919ecfb1d2301eb33ccfbe9f0d0add16cbc0892116 - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index ed4483a888f..a88f418fe4e 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -526,18 +526,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 3dceaf4972e..cc55818105c 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -409,7 +409,7 @@ jobs: git -c "http.extraheader=Authorization: Basic ${header}" fetch origin '+refs/pull/*/head:refs/remotes/origin/pull/*/head' - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index f77d0ee4aa0..5801b1125b6 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -588,18 +588,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 3ed5f3a03ae..98d17b64f12 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -541,18 +541,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 2ac7ba9c473..fc1f435ec71 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -593,18 +593,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index a83beb0064b..53598258101 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -534,18 +534,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 1e55109d86d..fd7b1984ade 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -554,18 +554,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 2f45b5f6eef..676a740b5bd 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1000,18 +1000,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 7432274b94e..23b71f11b93 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -631,18 +631,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index cd51384f6b4..cc5b8dbd077 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -693,18 +693,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/spec-librarian.lock.yml b/.github/workflows/spec-librarian.lock.yml index 01973d5ec4d..8fc0af2c95c 100644 --- a/.github/workflows/spec-librarian.lock.yml +++ b/.github/workflows/spec-librarian.lock.yml @@ -511,14 +511,14 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_f5aa6228691f0772_EOF' - {"create_issue":{"assignees":["copilot"],"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} + {"create_issue":{"assignees":["copilot"],"close_older_issues":true,"expires":72,"labels":["pkg-specifications","review","automation"],"max":1,"title_prefix":"[spec-librarian] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} GH_AW_SAFE_OUTPUTS_CONFIG_f5aa6228691f0772_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | { "description_suffixes": { - "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned." + "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[spec-librarian] \". Labels [\"pkg-specifications\" \"review\" \"automation\"] will be automatically added. Assignees [\"copilot\"] will be automatically assigned." }, "repo_params": {}, "dynamic_tools": [] @@ -1579,7 +1579,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.grafana.net,*.sentry.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"copilot\"],\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"copilot\"],\"close_older_issues\":true,\"expires\":72,\"labels\":[\"pkg-specifications\",\"review\",\"automation\"],\"max\":1,\"title_prefix\":\"[spec-librarian] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" GH_AW_ASSIGN_COPILOT: "true" GH_AW_ASSIGN_TO_AGENT_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index c868348194e..b0986ec21b8 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -445,7 +445,7 @@ jobs: BINARY=dist/gh-aw-linux-amd64 - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version @@ -548,18 +548,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 0018e814b5c..23936e219e5 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -523,18 +523,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 56aaabb126b..d1ba1c86aa3 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -495,18 +495,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/pkg/workflow/agentic_workflow_test.go b/pkg/workflow/agentic_workflow_test.go index db20e4b938d..ea37e2459d2 100644 --- a/pkg/workflow/agentic_workflow_test.go +++ b/pkg/workflow/agentic_workflow_test.go @@ -139,6 +139,8 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { // Create compiler using helper c := testCompiler() + c.actionMode = ActionModeAction + c.version = "v0.72.1" // Generate MCP setup var yaml strings.Builder @@ -149,17 +151,23 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { // Verify the install step is present assert.Contains(t, result, "Install gh-aw extension", - "MCP setup should include gh-aw installation step when agentic-workflows tool is enabled and no import is present") - - // Verify GH_TOKEN environment variable is set with the default token expression - assert.Contains(t, result, "GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}", - "install step should use default GH_TOKEN fallback chain when no custom token is specified") - - // Verify the install commands are present - assert.Contains(t, result, "gh extension install github/gh-aw", - "install step should include command to install gh-aw extension") - assert.Contains(t, result, "if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then", - "install step should detect both github/gh-aw and local gh-aw extension registrations") + "MCP setup should include gh-aw installation step when agentic-workflows tool is enabled") + + // Verify setup-cli action is used with default token expression + assert.Contains(t, result, "uses: github/gh-aw/actions/setup-cli@", + "install step should use setup-cli action") + assert.Contains(t, result, "version: 'v0.72.1'", + "install step should install the compiler release version") + assert.Contains(t, result, "github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}", + "install step should use default github-token fallback chain when no custom token is specified") + assert.NotContains(t, result, "setup-cli@main", + "install step should not use mutable main ref for setup-cli action") + assert.NotContains(t, result, "version: latest", + "install step should not use mutable latest CLI version") + + // Verify follow-up copy/verification commands are present + assert.Contains(t, result, "Copy gh-aw binary for MCP server", + "MCP setup should include a step to copy gh-aw binary for MCP server containerization") assert.Contains(t, result, "gh aw --version", "install step should include command to verify gh-aw installation") @@ -168,39 +176,13 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { "install step should copy gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization") } -func TestAgenticWorkflowsInstallStepSkippedWithImport(t *testing.T) { - // Create workflow data using helper with imported files option - workflowData := workflowDataWithAgenticWorkflows( - withImportedFiles("shared/mcp/gh-aw.md"), - ) - - // Create compiler using helper - c := testCompiler() - - // Generate MCP setup - var yaml strings.Builder - engine := NewCopilotEngine() - - require.NoError(t, c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData)) - result := yaml.String() - - // Verify the install step is NOT present when import exists - assert.NotContains(t, result, "Install gh-aw extension", - "install step should be skipped when shared/mcp/gh-aw.md is imported") - - // Verify the install command is also not present - assert.NotContains(t, result, "gh extension install github/gh-aw", - "gh extension install command should be absent when shared/mcp/gh-aw.md is imported") -} - func TestAgenticWorkflowsInstallStepPresentWithoutImport(t *testing.T) { // Create workflow data using helper with empty imports - workflowData := workflowDataWithAgenticWorkflows( - withImportedFiles(), // Empty imports - ) + workflowData := workflowDataWithAgenticWorkflows(withImportedFiles()) // Create compiler using helper c := testCompiler() + c.actionMode = ActionModeDev // Generate MCP setup var yaml strings.Builder @@ -209,13 +191,13 @@ func TestAgenticWorkflowsInstallStepPresentWithoutImport(t *testing.T) { require.NoError(t, c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData)) result := yaml.String() - // Verify the install step IS present when no import exists - assert.Contains(t, result, "Install gh-aw extension", - "install step should be present when shared/mcp/gh-aw.md is NOT imported") - - // Verify the install command is present - assert.Contains(t, result, "gh extension install github/gh-aw", - "gh extension install command should be present when shared/mcp/gh-aw.md is NOT imported") + // Verify dev install step is present for agentic-workflows tool + assert.Contains(t, result, "Build and install gh-aw CLI from source", + "dev mode should build and install gh-aw from source") + assert.Contains(t, result, "gh extension install .", + "dev mode should install gh-aw extension from local checkout") + assert.NotContains(t, result, "uses: github/gh-aw/actions/setup-cli@", + "dev mode should not use setup-cli action") } // TestAgenticWorkflowsErrorCases tests error handling for invalid configurations diff --git a/pkg/workflow/gh_aw_setup_steps.go b/pkg/workflow/gh_aw_setup_steps.go new file mode 100644 index 00000000000..6344611f98f --- /dev/null +++ b/pkg/workflow/gh_aw_setup_steps.go @@ -0,0 +1,87 @@ +package workflow + +import ( + "fmt" + "sort" +) + +type ghAwSetupStepConfig struct { + actionMode ActionMode + ifCondition string + cliVersion string + actionRepo string + fallbackActionRefTag string + workflowData *WorkflowData + withFields map[string]string +} + +func generateGhAwSetupStep(config ghAwSetupStepConfig) (GitHubActionStep, error) { + if config.actionMode == ActionModeDev { + step := GitHubActionStep{" - name: Build and install gh-aw CLI from source"} + if config.ifCondition != "" { + step = append(step, " if: "+config.ifCondition) + } + step = append(step, + " run: |", + " gh extension remove aw --force || true", + " make build", + " gh extension install .", + " gh aw version", + " env:", + " GH_TOKEN: ${{ github.token }}", + ) + return step, nil + } + + // Pinning errors are non-fatal: we still emit a valid step with the fallback + // action reference so compilation and workflow execution can continue. + actionRef, pinErr := resolveGhAwSetupActionRef(config) + step := GitHubActionStep{ + " - name: Install gh-aw extension", + } + if config.ifCondition != "" { + step = append(step, " if: "+config.ifCondition) + } + step = append(step, " uses: "+actionRef) + step = append(step, " with:") + step = append(step, fmt.Sprintf(" version: '%s'", config.cliVersion)) + + var keys []string + for key := range config.withFields { + keys = append(keys, key) + } + sort.Strings(keys) + for _, key := range keys { + step = append(step, fmt.Sprintf(" %s: %s", key, config.withFields[key])) + } + + return step, pinErr +} + +// resolveGhAwSetupActionRef resolves the setup-cli action reference in priority order: +// 1. Use workflow-aware pin resolution (getActionPinWithData) when WorkflowData exists. +// 2. Otherwise use the static pin table (getActionPin) when available. +// 3. Otherwise fall back to repo@tag, then repo with no ref as a final fallback. +func resolveGhAwSetupActionRef(config ghAwSetupStepConfig) (string, error) { + if config.workflowData != nil { + actionRef := fmt.Sprintf("%s@%s", config.actionRepo, config.cliVersion) + pinnedRef, err := getActionPinWithData(config.actionRepo, config.cliVersion, config.workflowData) + if err != nil { + return actionRef, err + } + if pinnedRef != "" { + return pinnedRef, nil + } + return actionRef, nil + } + + actionRef := getActionPin(config.actionRepo) + if actionRef != "" { + return actionRef, nil + } + + if config.fallbackActionRefTag != "" { + return fmt.Sprintf("%s@%s", config.actionRepo, config.fallbackActionRefTag), nil + } + return config.actionRepo, nil +} diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 3857da751a6..e004a18fe89 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -119,8 +119,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, } hasAgenticWorkflows := slices.Contains(mcpTools, "agentic-workflows") - hasGhAwImport := hasGhAwSharedImport(workflowData) - generateAgenticWorkflowsInstallStep(yaml, hasAgenticWorkflows, hasGhAwImport) + generateAgenticWorkflowsInstallStep(c, yaml, hasAgenticWorkflows, workflowData) generateSafeOutputsSetup(c, yaml, safeOutputConfig, workflowData) if err := generateMCPScriptsSetup(yaml, workflowData); err != nil { @@ -174,36 +173,32 @@ func generateSafeOutputsConfigIfEnabled(workflowData *WorkflowData) (string, err return safeOutputConfig, nil } -func hasGhAwSharedImport(workflowData *WorkflowData) bool { - for _, importPath := range workflowData.ImportedFiles { - if strings.Contains(importPath, "shared/mcp/gh-aw.md") { - return true - } - } - return false -} - -func generateAgenticWorkflowsInstallStep(yaml *strings.Builder, hasAgenticWorkflows bool, hasGhAwImport bool) { +func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, hasAgenticWorkflows bool, workflowData *WorkflowData) { if !hasAgenticWorkflows { return } - if hasGhAwImport { - mcpSetupGeneratorLog.Print("Skipping gh-aw extension installation step (provided by shared/mcp/gh-aw.md import)") - return - } + + cliVersion := resolveAgenticWorkflowsCLIVersion(c, workflowData) effectiveToken := getEffectiveGitHubToken("") - yaml.WriteString(" - name: Install gh-aw extension\n") - yaml.WriteString(" env:\n") - fmt.Fprintf(yaml, " GH_TOKEN: %s\n", effectiveToken) + actionRepo := GitHubOrgRepo + "/actions/setup-cli" + installStep, err := generateGhAwSetupStep(ghAwSetupStepConfig{ + actionMode: c.actionMode, + cliVersion: cliVersion, + actionRepo: actionRepo, + fallbackActionRefTag: cliVersion, + workflowData: workflowData, + withFields: map[string]string{ + "github-token": effectiveToken, + }, + }) + if err != nil { + mcpSetupGeneratorLog.Printf("Failed to resolve pinned setup-cli action reference for %s@%s: %v", actionRepo, cliVersion, err) + } + for _, line := range installStep { + yaml.WriteString(line + "\n") + } + yaml.WriteString(" - name: Copy gh-aw binary for MCP server\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" # Check if gh-aw extension is already installed\n") - yaml.WriteString(" if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then\n") - yaml.WriteString(" echo \"gh-aw extension already installed, upgrading...\"\n") - yaml.WriteString(" gh extension upgrade gh-aw || true\n") - yaml.WriteString(" else\n") - yaml.WriteString(" echo \"Installing gh-aw extension...\"\n") - yaml.WriteString(" gh extension install github/gh-aw\n") - yaml.WriteString(" fi\n") yaml.WriteString(" gh aw --version\n") yaml.WriteString(" # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization\n") yaml.WriteString(" mkdir -p \"${RUNNER_TEMP}/gh-aw\"\n") @@ -222,6 +217,38 @@ func generateAgenticWorkflowsInstallStep(yaml *strings.Builder, hasAgenticWorkfl yaml.WriteString(" fi\n") } +func resolveAgenticWorkflowsCLIVersion(c *Compiler, workflowData *WorkflowData) string { + cliVersion := c.actionTag + if cliVersion == "" { + cliVersion = getActionTagFromFeatures(workflowData) + } + if cliVersion == "" { + cliVersion = c.version + } + // "dev" and empty versions are not valid release pins; fall back to the + // current compiler runtime version so setup-cli always receives a concrete + // pinned release tag in non-dev modes. + if cliVersion == "" || cliVersion == "dev" { + cliVersion = getDefaultGhAWRuntimeVersion() + } + return cliVersion +} + +func getActionTagFromFeatures(workflowData *WorkflowData) string { + if workflowData == nil || workflowData.Features == nil { + return "" + } + actionTagVal, exists := workflowData.Features["action-tag"] + if !exists { + return "" + } + actionTagStr, ok := actionTagVal.(string) + if !ok || actionTagStr == "" { + return "" + } + return actionTagStr +} + func generateSafeOutputsSetup(c *Compiler, yaml *strings.Builder, safeOutputConfig string, workflowData *WorkflowData) { if !HasSafeOutputsEnabled(workflowData.SafeOutputs) { return diff --git a/pkg/workflow/runtime_gh_aw_test.go b/pkg/workflow/runtime_gh_aw_test.go index 9737e5f7383..3e581344016 100644 --- a/pkg/workflow/runtime_gh_aw_test.go +++ b/pkg/workflow/runtime_gh_aw_test.go @@ -109,7 +109,7 @@ func TestGenerateRuntimeSetupSteps_GhAw_DevBuildsFromSource(t *testing.T) { content := strings.Join(steps[0], "\n") assert.Contains(t, content, "Build and install gh-aw CLI from source") - assert.Contains(t, content, "gh extension remove gh-aw || true") + assert.Contains(t, content, "gh extension remove aw --force || true") assert.Contains(t, content, "make build") assert.Contains(t, content, "gh extension install .") assert.Contains(t, content, "gh aw version") diff --git a/pkg/workflow/runtime_step_generator.go b/pkg/workflow/runtime_step_generator.go index d88465939f4..deaf2a9b9ae 100644 --- a/pkg/workflow/runtime_step_generator.go +++ b/pkg/workflow/runtime_step_generator.go @@ -56,22 +56,30 @@ func generateSetupStep(req *RuntimeRequirement) GitHubActionStep { runtimeStepGeneratorLog.Printf("Generating setup step for runtime: %s, version=%s, if=%s", runtime.ID, version, req.IfCondition) runtimeSetupLog.Printf("Generating setup step for runtime: %s, version=%s, if=%s", runtime.ID, version, req.IfCondition) - // In dev mode, install gh-aw from the checked-out source tree instead of - // using setup-cli (which installs released tags). - if runtime.ID == "gh-aw" && !IsRelease() { - step := GitHubActionStep{" - name: Build and install gh-aw CLI from source"} - if req.IfCondition != "" { - step = append(step, " if: "+req.IfCondition) + if runtime.ID == "gh-aw" { + if version == "" { + version = getDefaultGhAWRuntimeVersion() + } + + allExtraFields := make(map[string]string) + // runtime.ExtraWithFields are already YAML-formatted by runtime definitions. + maps.Copy(allExtraFields, runtime.ExtraWithFields) + // req.ExtraFields come from user input and need YAML formatting. + for k, v := range req.ExtraFields { + allExtraFields[k] = formatYAMLValue(v) + } + + step, err := generateGhAwSetupStep(ghAwSetupStepConfig{ + actionMode: actionModeForRuntimeSetup(IsRelease()), + ifCondition: req.IfCondition, + cliVersion: version, + actionRepo: runtime.ActionRepo, + fallbackActionRefTag: runtime.ActionVersion, + withFields: allExtraFields, + }) + if err != nil { + runtimeStepGeneratorLog.Printf("Failed to resolve pinned setup-cli action reference for %s@%s: %v", runtime.ActionRepo, version, err) } - step = append(step, - " run: |", - " gh extension remove gh-aw || true", - " make build", - " gh extension install .", - " gh aw version", - " env:", - " GH_TOKEN: ${{ github.token }}", - ) return step } @@ -166,3 +174,10 @@ func generateSetupStep(req *RuntimeRequirement) GitHubActionStep { return step } + +func actionModeForRuntimeSetup(isRelease bool) ActionMode { + if isRelease { + return ActionModeRelease + } + return ActionModeDev +} diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 987dfa0700c..8ab03b2b7e8 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -516,18 +516,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw"