From 20727289b03613ba09e15f094071325df31a3eac Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 08:47:05 +0000 Subject: [PATCH 01/15] Initial plan From 69d7101fde489aa60659a06467e20f9add17671b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 09:05:44 +0000 Subject: [PATCH 02/15] fix: make gh-aw extension setup idempotent when gh aw is preinstalled Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ec37f460-90f4-4569-aac7-be17f9c307c7 Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .github/workflows/static-analysis-report.lock.yml | 11 +++++++---- pkg/workflow/agentic_workflow_test.go | 6 ++++-- pkg/workflow/mcp_setup_generator.go | 11 +++++++---- .../smoke-copilot.golden | 11 +++++++---- 4 files changed, 25 insertions(+), 14 deletions(-) diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 572ee857f7e..3180f01861d 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -552,10 +552,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/pkg/workflow/agentic_workflow_test.go b/pkg/workflow/agentic_workflow_test.go index db20e4b938d..3d964832914 100644 --- a/pkg/workflow/agentic_workflow_test.go +++ b/pkg/workflow/agentic_workflow_test.go @@ -158,8 +158,10 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { // Verify the install commands are present assert.Contains(t, result, "gh extension install github/gh-aw", "install step should include command to install gh-aw extension") - assert.Contains(t, result, "if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then", - "install step should detect both github/gh-aw and local gh-aw extension registrations") + assert.Contains(t, result, "if gh aw --version >/dev/null 2>&1; then", + "install step should detect when the gh-aw command is already available") + assert.Contains(t, result, "if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then", + "install step should detect managed gh-aw extension registrations for best-effort upgrades") assert.Contains(t, result, "gh aw --version", "install step should include command to verify gh-aw installation") diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 3857da751a6..a416e5f7ad8 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -196,10 +196,13 @@ func generateAgenticWorkflowsInstallStep(yaml *strings.Builder, hasAgenticWorkfl yaml.WriteString(" env:\n") fmt.Fprintf(yaml, " GH_TOKEN: %s\n", effectiveToken) yaml.WriteString(" run: |\n") - yaml.WriteString(" # Check if gh-aw extension is already installed\n") - yaml.WriteString(" if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then\n") - yaml.WriteString(" echo \"gh-aw extension already installed, upgrading...\"\n") - yaml.WriteString(" gh extension upgrade gh-aw || true\n") + yaml.WriteString(" # Check if gh-aw command is already available (extension or standalone binary)\n") + yaml.WriteString(" if gh aw --version >/dev/null 2>&1; then\n") + yaml.WriteString(" echo \"gh-aw command already available, using existing install\"\n") + yaml.WriteString(" # If installed as a managed extension, attempt best-effort upgrade\n") + yaml.WriteString(" if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then\n") + yaml.WriteString(" gh extension upgrade gh-aw || true\n") + yaml.WriteString(" fi\n") yaml.WriteString(" else\n") yaml.WriteString(" echo \"Installing gh-aw extension...\"\n") yaml.WriteString(" gh extension install github/gh-aw\n") diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index c7b7aed6fc1..44ca3403d94 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -520,10 +520,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw From 67971a8f455a3947a04b9a84dca4f58e9177737d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 09:22:21 +0000 Subject: [PATCH 03/15] chore: plan PR feedback updates Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 11 +++++---- .../workflows/agent-persona-explorer.lock.yml | 11 +++++---- .../workflows/api-consumption-report.lock.yml | 11 +++++---- .github/workflows/audit-workflows.lock.yml | 11 +++++---- .../aw-failure-investigator.lock.yml | 11 +++++---- .github/workflows/cloclo.lock.yml | 11 +++++---- .../workflows/copilot-token-audit.lock.yml | 11 +++++---- ...aily-agent-of-the-day-blog-writer.lock.yml | 11 +++++---- .../daily-agentrx-trace-optimizer.lock.yml | 11 +++++---- .../daily-cache-strategy-analyzer.lock.yml | 23 +++++++++++-------- .../workflows/daily-cli-tools-tester.lock.yml | 11 +++++---- .../workflows/daily-firewall-report.lock.yml | 11 +++++---- .../daily-observability-report.lock.yml | 23 +++++++++++-------- .../daily-rendering-scripts-verifier.lock.yml | 11 +++++---- .../daily-safe-output-optimizer.lock.yml | 11 +++++---- .../daily-security-observability.lock.yml | 11 +++++---- .../daily-subagent-optimizer.lock.yml | 11 +++++---- .github/workflows/deep-report.lock.yml | 11 +++++---- .github/workflows/dev-hawk.lock.yml | 11 +++++---- .../example-workflow-analyzer.lock.yml | 11 +++++---- .github/workflows/mcp-inspector.lock.yml | 11 +++++---- .github/workflows/metrics-collector.lock.yml | 11 +++++---- .../prompt-clustering-analysis.lock.yml | 11 +++++---- .github/workflows/python-data-charts.lock.yml | 11 +++++---- .github/workflows/q.lock.yml | 11 +++++---- .github/workflows/safe-output-health.lock.yml | 11 +++++---- .github/workflows/security-review.lock.yml | 11 +++++---- .github/workflows/smoke-claude.lock.yml | 11 +++++---- .github/workflows/smoke-copilot-arm.lock.yml | 11 +++++---- .github/workflows/smoke-copilot.lock.yml | 11 +++++---- .../weekly-blog-post-writer.lock.yml | 11 +++++---- .../workflows/workflow-normalizer.lock.yml | 11 +++++---- 32 files changed, 236 insertions(+), 140 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 965c1db4da1..c68feb2b651 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -522,10 +522,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 0526c3fefcf..d4356c0fc7c 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -522,10 +522,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index e3693e9c331..eb36a52a1c5 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -559,10 +559,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index ffa44defb79..08ef36cdb7d 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -579,10 +579,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index 9b4034ce152..b1d56a7cfb9 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -517,10 +517,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 48b9e63f575..c35bafd6d12 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -680,10 +680,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml index 65cbb8ac129..547f28164b6 100644 --- a/.github/workflows/copilot-token-audit.lock.yml +++ b/.github/workflows/copilot-token-audit.lock.yml @@ -547,10 +547,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index 907caa5fecc..ca1008ddb78 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -534,10 +534,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml index ce35d8c9ac7..12cf5c1c0e4 100644 --- a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml +++ b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml @@ -499,10 +499,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index 8e4f92fa0b0..3e442fd7d07 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -537,10 +537,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw @@ -1464,18 +1467,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_77a847c9256c1c10_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_9ac5b8979c8a0edb_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_77a847c9256c1c10_EOF + GH_AW_MCP_CONFIG_9ac5b8979c8a0edb_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_c45e590a5cfd9db0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_ab00480cd808f762_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1486,11 +1489,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_c45e590a5cfd9db0_EOF + GH_AW_MCP_CONFIG_ab00480cd808f762_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_5898b35e4939f59a_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_c9e0f595f3934d1a_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1500,7 +1503,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_5898b35e4939f59a_EOF + GH_AW_CODEX_SHELL_POLICY_c9e0f595f3934d1a_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 305d73e6637..ffc9efd9dd7 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -501,10 +501,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 41c566f9659..b997fbd9650 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -549,10 +549,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 1a3ae0c5b65..7d6c3eb3344 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -509,10 +509,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw @@ -1385,18 +1388,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_72dfc2cffaff563f_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_88b71e41b3f3c147_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_72dfc2cffaff563f_EOF + GH_AW_MCP_CONFIG_88b71e41b3f3c147_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_8bc373dc4c3fb249_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_008a3125a9c302e6_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1407,11 +1410,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_8bc373dc4c3fb249_EOF + GH_AW_MCP_CONFIG_008a3125a9c302e6_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_2bfcc1d6499ebe72_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_6d12449d26917f6e_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1421,7 +1424,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_2bfcc1d6499ebe72_EOF + GH_AW_CODEX_SHELL_POLICY_6d12449d26917f6e_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 759093cd97e..4739cd1bed1 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -544,10 +544,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index adc5e75248d..fbcf02df47a 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -547,10 +547,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index a1cf888313d..e0b2b8dcaa4 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -586,10 +586,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/daily-subagent-optimizer.lock.yml b/.github/workflows/daily-subagent-optimizer.lock.yml index f663770493d..5ab22749975 100644 --- a/.github/workflows/daily-subagent-optimizer.lock.yml +++ b/.github/workflows/daily-subagent-optimizer.lock.yml @@ -532,10 +532,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 98d4d4d32e5..382bc1625ae 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -813,10 +813,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index f5cd5b6ea05..96e2eb325b6 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -529,10 +529,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 070806faa30..b61aabaf577 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -504,10 +504,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index cb8b82c108d..75f4de57889 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -623,10 +623,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 9738289d8a5..7e19ed32e83 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -530,10 +530,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 6712c6b8380..00100abc5bb 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -592,10 +592,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index f2f14dad419..ad9de5cae66 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -545,10 +545,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index a0e67e601d6..1e2184f385c 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -597,10 +597,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index f19df986d0d..6a9de75ff30 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -538,10 +538,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index a33cc41f5b0..7c99ddb0286 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -558,10 +558,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 24da2271216..3f7f46b51a9 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1004,10 +1004,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 8c77ab2f3fb..e9ed2e836c1 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -635,10 +635,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 66ed46b7fde..584b99a283c 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -697,10 +697,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 23fc1d9d88d..b6cb5915d59 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -527,10 +527,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index ee2a9865cf7..029cbc07703 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -499,10 +499,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true + # Check if gh-aw command is already available (extension or standalone binary) + if gh aw --version >/dev/null 2>&1; then + echo "gh-aw command already available, using existing install" + # If installed as a managed extension, attempt best-effort upgrade + if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then + gh extension upgrade gh-aw || true + fi else echo "Installing gh-aw extension..." gh extension install github/gh-aw From f4f59896db81e92717920e78294e8d434c0ac696 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 09:26:58 +0000 Subject: [PATCH 04/15] refactor: use setup-cli for MCP gh-aw install step Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/agentic_workflow_test.go | 65 ++++++------------- pkg/workflow/mcp_setup_generator.go | 36 ++-------- .../smoke-copilot.golden | 18 ++--- 3 files changed, 31 insertions(+), 88 deletions(-) diff --git a/pkg/workflow/agentic_workflow_test.go b/pkg/workflow/agentic_workflow_test.go index 3d964832914..995eaf0d047 100644 --- a/pkg/workflow/agentic_workflow_test.go +++ b/pkg/workflow/agentic_workflow_test.go @@ -149,19 +149,19 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { // Verify the install step is present assert.Contains(t, result, "Install gh-aw extension", - "MCP setup should include gh-aw installation step when agentic-workflows tool is enabled and no import is present") - - // Verify GH_TOKEN environment variable is set with the default token expression - assert.Contains(t, result, "GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}", - "install step should use default GH_TOKEN fallback chain when no custom token is specified") - - // Verify the install commands are present - assert.Contains(t, result, "gh extension install github/gh-aw", - "install step should include command to install gh-aw extension") - assert.Contains(t, result, "if gh aw --version >/dev/null 2>&1; then", - "install step should detect when the gh-aw command is already available") - assert.Contains(t, result, "if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then", - "install step should detect managed gh-aw extension registrations for best-effort upgrades") + "MCP setup should include gh-aw installation step when agentic-workflows tool is enabled") + + // Verify setup-cli action is used with default token expression + assert.Contains(t, result, "uses: github/gh-aw/actions/setup-cli@main", + "install step should use setup-cli action") + assert.Contains(t, result, "version: latest", + "install step should install latest gh-aw version") + assert.Contains(t, result, "github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}", + "install step should use default github-token fallback chain when no custom token is specified") + + // Verify follow-up copy/verification commands are present + assert.Contains(t, result, "Copy gh-aw binary for MCP server", + "MCP setup should include a step to copy gh-aw binary for MCP server containerization") assert.Contains(t, result, "gh aw --version", "install step should include command to verify gh-aw installation") @@ -170,36 +170,9 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { "install step should copy gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization") } -func TestAgenticWorkflowsInstallStepSkippedWithImport(t *testing.T) { - // Create workflow data using helper with imported files option - workflowData := workflowDataWithAgenticWorkflows( - withImportedFiles("shared/mcp/gh-aw.md"), - ) - - // Create compiler using helper - c := testCompiler() - - // Generate MCP setup - var yaml strings.Builder - engine := NewCopilotEngine() - - require.NoError(t, c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData)) - result := yaml.String() - - // Verify the install step is NOT present when import exists - assert.NotContains(t, result, "Install gh-aw extension", - "install step should be skipped when shared/mcp/gh-aw.md is imported") - - // Verify the install command is also not present - assert.NotContains(t, result, "gh extension install github/gh-aw", - "gh extension install command should be absent when shared/mcp/gh-aw.md is imported") -} - func TestAgenticWorkflowsInstallStepPresentWithoutImport(t *testing.T) { // Create workflow data using helper with empty imports - workflowData := workflowDataWithAgenticWorkflows( - withImportedFiles(), // Empty imports - ) + workflowData := workflowDataWithAgenticWorkflows(withImportedFiles()) // Create compiler using helper c := testCompiler() @@ -211,13 +184,13 @@ func TestAgenticWorkflowsInstallStepPresentWithoutImport(t *testing.T) { require.NoError(t, c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData)) result := yaml.String() - // Verify the install step IS present when no import exists + // Verify the install step is always present for agentic-workflows tool assert.Contains(t, result, "Install gh-aw extension", - "install step should be present when shared/mcp/gh-aw.md is NOT imported") + "install step should be present when agentic-workflows tool is configured") - // Verify the install command is present - assert.Contains(t, result, "gh extension install github/gh-aw", - "gh extension install command should be present when shared/mcp/gh-aw.md is NOT imported") + // Verify setup-cli action is present + assert.Contains(t, result, "uses: github/gh-aw/actions/setup-cli@main", + "setup-cli action should be present when agentic-workflows tool is configured") } // TestAgenticWorkflowsErrorCases tests error handling for invalid configurations diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index a416e5f7ad8..d9fc394677a 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -119,8 +119,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, } hasAgenticWorkflows := slices.Contains(mcpTools, "agentic-workflows") - hasGhAwImport := hasGhAwSharedImport(workflowData) - generateAgenticWorkflowsInstallStep(yaml, hasAgenticWorkflows, hasGhAwImport) + generateAgenticWorkflowsInstallStep(yaml, hasAgenticWorkflows) generateSafeOutputsSetup(c, yaml, safeOutputConfig, workflowData) if err := generateMCPScriptsSetup(yaml, workflowData); err != nil { @@ -174,39 +173,18 @@ func generateSafeOutputsConfigIfEnabled(workflowData *WorkflowData) (string, err return safeOutputConfig, nil } -func hasGhAwSharedImport(workflowData *WorkflowData) bool { - for _, importPath := range workflowData.ImportedFiles { - if strings.Contains(importPath, "shared/mcp/gh-aw.md") { - return true - } - } - return false -} - -func generateAgenticWorkflowsInstallStep(yaml *strings.Builder, hasAgenticWorkflows bool, hasGhAwImport bool) { +func generateAgenticWorkflowsInstallStep(yaml *strings.Builder, hasAgenticWorkflows bool) { if !hasAgenticWorkflows { return } - if hasGhAwImport { - mcpSetupGeneratorLog.Print("Skipping gh-aw extension installation step (provided by shared/mcp/gh-aw.md import)") - return - } effectiveToken := getEffectiveGitHubToken("") yaml.WriteString(" - name: Install gh-aw extension\n") - yaml.WriteString(" env:\n") - fmt.Fprintf(yaml, " GH_TOKEN: %s\n", effectiveToken) + yaml.WriteString(" uses: github/gh-aw/actions/setup-cli@main\n") + yaml.WriteString(" with:\n") + yaml.WriteString(" version: latest\n") + fmt.Fprintf(yaml, " github-token: %s\n", effectiveToken) + yaml.WriteString(" - name: Copy gh-aw binary for MCP server\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" # Check if gh-aw command is already available (extension or standalone binary)\n") - yaml.WriteString(" if gh aw --version >/dev/null 2>&1; then\n") - yaml.WriteString(" echo \"gh-aw command already available, using existing install\"\n") - yaml.WriteString(" # If installed as a managed extension, attempt best-effort upgrade\n") - yaml.WriteString(" if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then\n") - yaml.WriteString(" gh extension upgrade gh-aw || true\n") - yaml.WriteString(" fi\n") - yaml.WriteString(" else\n") - yaml.WriteString(" echo \"Installing gh-aw extension...\"\n") - yaml.WriteString(" gh extension install github/gh-aw\n") - yaml.WriteString(" fi\n") yaml.WriteString(" gh aw --version\n") yaml.WriteString(" # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization\n") yaml.WriteString(" mkdir -p \"${RUNNER_TEMP}/gh-aw\"\n") diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 44ca3403d94..aab3ba838e6 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -517,20 +517,12 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp - name: Install gh-aw extension - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + uses: github/gh-aw/actions/setup-cli@main + with: + version: latest + github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" From f1a1c12eec48474baeb3dc5b5dac3f6a28a4afa2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 09:49:32 +0000 Subject: [PATCH 05/15] fix: pin setup-cli and cli version in release mode; build from source in dev Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/agentic_workflow_test.go | 27 ++++++---- pkg/workflow/mcp_setup_generator.go | 54 ++++++++++++++++--- .../smoke-copilot.golden | 13 +++-- 3 files changed, 71 insertions(+), 23 deletions(-) diff --git a/pkg/workflow/agentic_workflow_test.go b/pkg/workflow/agentic_workflow_test.go index 995eaf0d047..ea37e2459d2 100644 --- a/pkg/workflow/agentic_workflow_test.go +++ b/pkg/workflow/agentic_workflow_test.go @@ -139,6 +139,8 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { // Create compiler using helper c := testCompiler() + c.actionMode = ActionModeAction + c.version = "v0.72.1" // Generate MCP setup var yaml strings.Builder @@ -152,12 +154,16 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { "MCP setup should include gh-aw installation step when agentic-workflows tool is enabled") // Verify setup-cli action is used with default token expression - assert.Contains(t, result, "uses: github/gh-aw/actions/setup-cli@main", + assert.Contains(t, result, "uses: github/gh-aw/actions/setup-cli@", "install step should use setup-cli action") - assert.Contains(t, result, "version: latest", - "install step should install latest gh-aw version") + assert.Contains(t, result, "version: 'v0.72.1'", + "install step should install the compiler release version") assert.Contains(t, result, "github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}", "install step should use default github-token fallback chain when no custom token is specified") + assert.NotContains(t, result, "setup-cli@main", + "install step should not use mutable main ref for setup-cli action") + assert.NotContains(t, result, "version: latest", + "install step should not use mutable latest CLI version") // Verify follow-up copy/verification commands are present assert.Contains(t, result, "Copy gh-aw binary for MCP server", @@ -176,6 +182,7 @@ func TestAgenticWorkflowsInstallStepPresentWithoutImport(t *testing.T) { // Create compiler using helper c := testCompiler() + c.actionMode = ActionModeDev // Generate MCP setup var yaml strings.Builder @@ -184,13 +191,13 @@ func TestAgenticWorkflowsInstallStepPresentWithoutImport(t *testing.T) { require.NoError(t, c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData)) result := yaml.String() - // Verify the install step is always present for agentic-workflows tool - assert.Contains(t, result, "Install gh-aw extension", - "install step should be present when agentic-workflows tool is configured") - - // Verify setup-cli action is present - assert.Contains(t, result, "uses: github/gh-aw/actions/setup-cli@main", - "setup-cli action should be present when agentic-workflows tool is configured") + // Verify dev install step is present for agentic-workflows tool + assert.Contains(t, result, "Build and install gh-aw CLI from source", + "dev mode should build and install gh-aw from source") + assert.Contains(t, result, "gh extension install .", + "dev mode should install gh-aw extension from local checkout") + assert.NotContains(t, result, "uses: github/gh-aw/actions/setup-cli@", + "dev mode should not use setup-cli action") } // TestAgenticWorkflowsErrorCases tests error handling for invalid configurations diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index d9fc394677a..0cdc34c03b6 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -119,7 +119,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, } hasAgenticWorkflows := slices.Contains(mcpTools, "agentic-workflows") - generateAgenticWorkflowsInstallStep(yaml, hasAgenticWorkflows) + generateAgenticWorkflowsInstallStep(c, yaml, hasAgenticWorkflows, workflowData) generateSafeOutputsSetup(c, yaml, safeOutputConfig, workflowData) if err := generateMCPScriptsSetup(yaml, workflowData); err != nil { @@ -173,16 +173,54 @@ func generateSafeOutputsConfigIfEnabled(workflowData *WorkflowData) (string, err return safeOutputConfig, nil } -func generateAgenticWorkflowsInstallStep(yaml *strings.Builder, hasAgenticWorkflows bool) { +func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, hasAgenticWorkflows bool, workflowData *WorkflowData) { if !hasAgenticWorkflows { return } - effectiveToken := getEffectiveGitHubToken("") - yaml.WriteString(" - name: Install gh-aw extension\n") - yaml.WriteString(" uses: github/gh-aw/actions/setup-cli@main\n") - yaml.WriteString(" with:\n") - yaml.WriteString(" version: latest\n") - fmt.Fprintf(yaml, " github-token: %s\n", effectiveToken) + + if c != nil && c.actionMode == ActionModeDev { + yaml.WriteString(" - name: Build and install gh-aw CLI from source\n") + yaml.WriteString(" run: |\n") + yaml.WriteString(" gh extension remove gh-aw || true\n") + yaml.WriteString(" make build\n") + yaml.WriteString(" gh extension install .\n") + yaml.WriteString(" gh aw version\n") + yaml.WriteString(" env:\n") + yaml.WriteString(" GH_TOKEN: ${{ github.token }}\n") + } else { + cliVersion := "" + if c != nil { + cliVersion = c.actionTag + if cliVersion == "" && workflowData != nil && workflowData.Features != nil { + if actionTagVal, exists := workflowData.Features["action-tag"]; exists { + if actionTagStr, ok := actionTagVal.(string); ok && actionTagStr != "" { + cliVersion = actionTagStr + } + } + } + if cliVersion == "" { + cliVersion = c.version + } + } + if cliVersion == "" || cliVersion == "dev" { + cliVersion = getDefaultGhAWRuntimeVersion() + } + + actionRepo := GitHubOrgRepo + "/actions/setup-cli" + actionRef := fmt.Sprintf("%s@%s", actionRepo, cliVersion) + if workflowData != nil { + if pinnedRef, err := getActionPinWithData(actionRepo, cliVersion, workflowData); err == nil && pinnedRef != "" { + actionRef = pinnedRef + } + } + + effectiveToken := getEffectiveGitHubToken("") + yaml.WriteString(" - name: Install gh-aw extension\n") + fmt.Fprintf(yaml, " uses: %s\n", actionRef) + yaml.WriteString(" with:\n") + fmt.Fprintf(yaml, " version: '%s'\n", cliVersion) + fmt.Fprintf(yaml, " github-token: %s\n", effectiveToken) + } yaml.WriteString(" - name: Copy gh-aw binary for MCP server\n") yaml.WriteString(" run: |\n") yaml.WriteString(" gh aw --version\n") diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index aab3ba838e6..da70b70cc3c 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -516,11 +516,14 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp - - name: Install gh-aw extension - uses: github/gh-aw/actions/setup-cli@main - with: - version: latest - github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version + env: + GH_TOKEN: ${{ github.token }} - name: Copy gh-aw binary for MCP server run: | gh aw --version From 931cc11a419e2b7697d1b126b48d2141715b4349 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 09:50:49 +0000 Subject: [PATCH 06/15] chore: log setup-cli pin resolution fallback errors Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/mcp_setup_generator.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 0cdc34c03b6..8d9910e435d 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -209,7 +209,9 @@ func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, has actionRepo := GitHubOrgRepo + "/actions/setup-cli" actionRef := fmt.Sprintf("%s@%s", actionRepo, cliVersion) if workflowData != nil { - if pinnedRef, err := getActionPinWithData(actionRepo, cliVersion, workflowData); err == nil && pinnedRef != "" { + if pinnedRef, err := getActionPinWithData(actionRepo, cliVersion, workflowData); err != nil { + mcpSetupGeneratorLog.Printf("Failed to resolve pinned setup-cli action reference for %s@%s: %v", actionRepo, cliVersion, err) + } else if pinnedRef != "" { actionRef = pinnedRef } } From ade9be3da0fef546d4f078880076c076cb139f2c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 09:52:20 +0000 Subject: [PATCH 07/15] refactor: simplify MCP setup-cli version resolution helpers Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/mcp_setup_generator.go | 52 +++++++++++++++++++---------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 8d9910e435d..c2ea82e2fac 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -178,7 +178,7 @@ func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, has return } - if c != nil && c.actionMode == ActionModeDev { + if c.actionMode == ActionModeDev { yaml.WriteString(" - name: Build and install gh-aw CLI from source\n") yaml.WriteString(" run: |\n") yaml.WriteString(" gh extension remove gh-aw || true\n") @@ -188,23 +188,7 @@ func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, has yaml.WriteString(" env:\n") yaml.WriteString(" GH_TOKEN: ${{ github.token }}\n") } else { - cliVersion := "" - if c != nil { - cliVersion = c.actionTag - if cliVersion == "" && workflowData != nil && workflowData.Features != nil { - if actionTagVal, exists := workflowData.Features["action-tag"]; exists { - if actionTagStr, ok := actionTagVal.(string); ok && actionTagStr != "" { - cliVersion = actionTagStr - } - } - } - if cliVersion == "" { - cliVersion = c.version - } - } - if cliVersion == "" || cliVersion == "dev" { - cliVersion = getDefaultGhAWRuntimeVersion() - } + cliVersion := resolveAgenticWorkflowsCLIVersion(c, workflowData) actionRepo := GitHubOrgRepo + "/actions/setup-cli" actionRef := fmt.Sprintf("%s@%s", actionRepo, cliVersion) @@ -243,6 +227,38 @@ func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, has yaml.WriteString(" fi\n") } +func resolveAgenticWorkflowsCLIVersion(c *Compiler, workflowData *WorkflowData) string { + cliVersion := c.actionTag + if cliVersion == "" { + cliVersion = getActionTagFromFeatures(workflowData) + } + if cliVersion == "" { + cliVersion = c.version + } + // "dev" and empty versions are not valid release pins; fall back to the + // current compiler runtime version so setup-cli always receives a concrete + // pinned release tag in non-dev modes. + if cliVersion == "" || cliVersion == "dev" { + cliVersion = getDefaultGhAWRuntimeVersion() + } + return cliVersion +} + +func getActionTagFromFeatures(workflowData *WorkflowData) string { + if workflowData == nil || workflowData.Features == nil { + return "" + } + actionTagVal, exists := workflowData.Features["action-tag"] + if !exists { + return "" + } + actionTagStr, ok := actionTagVal.(string) + if !ok || actionTagStr == "" { + return "" + } + return actionTagStr +} + func generateSafeOutputsSetup(c *Compiler, yaml *strings.Builder, safeOutputConfig string, workflowData *WorkflowData) { if !HasSafeOutputsEnabled(workflowData.SafeOutputs) { return From ffd2d8eda99874a32a5d1a464da2f2abbedc3f73 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 10:15:38 +0000 Subject: [PATCH 08/15] refactor: dedupe gh-aw setup step generation in workflow compiler Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/gh_aw_setup_steps.go | 81 ++++++++++++++++++++++++++ pkg/workflow/mcp_setup_generator.go | 45 ++++++-------- pkg/workflow/runtime_step_generator.go | 43 +++++++++----- 3 files changed, 126 insertions(+), 43 deletions(-) create mode 100644 pkg/workflow/gh_aw_setup_steps.go diff --git a/pkg/workflow/gh_aw_setup_steps.go b/pkg/workflow/gh_aw_setup_steps.go new file mode 100644 index 00000000000..64747b58ec6 --- /dev/null +++ b/pkg/workflow/gh_aw_setup_steps.go @@ -0,0 +1,81 @@ +package workflow + +import ( + "fmt" + "sort" +) + +type ghAwSetupStepConfig struct { + actionMode ActionMode + ifCondition string + cliVersion string + actionRepo string + fallbackActionRefTag string + workflowData *WorkflowData + withFields map[string]string +} + +func generateGhAwSetupStep(config ghAwSetupStepConfig) (GitHubActionStep, error) { + if config.actionMode == ActionModeDev { + step := GitHubActionStep{" - name: Build and install gh-aw CLI from source"} + if config.ifCondition != "" { + step = append(step, " if: "+config.ifCondition) + } + step = append(step, + " run: |", + " gh extension remove gh-aw || true", + " make build", + " gh extension install .", + " gh aw version", + " env:", + " GH_TOKEN: ${{ github.token }}", + ) + return step, nil + } + + actionRef, pinErr := resolveGhAwSetupActionRef(config) + step := GitHubActionStep{ + " - name: Install gh-aw extension", + " uses: " + actionRef, + } + if config.ifCondition != "" { + step = append(step, " if: "+config.ifCondition) + } + step = append(step, " with:") + step = append(step, fmt.Sprintf(" version: '%s'", config.cliVersion)) + + var keys []string + for key := range config.withFields { + keys = append(keys, key) + } + sort.Strings(keys) + for _, key := range keys { + step = append(step, fmt.Sprintf(" %s: %s", key, config.withFields[key])) + } + + return step, pinErr +} + +func resolveGhAwSetupActionRef(config ghAwSetupStepConfig) (string, error) { + if config.workflowData != nil { + actionRef := fmt.Sprintf("%s@%s", config.actionRepo, config.cliVersion) + pinnedRef, err := getActionPinWithData(config.actionRepo, config.cliVersion, config.workflowData) + if err != nil { + return actionRef, err + } + if pinnedRef != "" { + return pinnedRef, nil + } + return actionRef, nil + } + + actionRef := getActionPin(config.actionRepo) + if actionRef != "" { + return actionRef, nil + } + + if config.fallbackActionRefTag != "" { + return fmt.Sprintf("%s@%s", config.actionRepo, config.fallbackActionRefTag), nil + } + return config.actionRepo, nil +} diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index c2ea82e2fac..543b57fc33e 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -178,34 +178,23 @@ func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, has return } - if c.actionMode == ActionModeDev { - yaml.WriteString(" - name: Build and install gh-aw CLI from source\n") - yaml.WriteString(" run: |\n") - yaml.WriteString(" gh extension remove gh-aw || true\n") - yaml.WriteString(" make build\n") - yaml.WriteString(" gh extension install .\n") - yaml.WriteString(" gh aw version\n") - yaml.WriteString(" env:\n") - yaml.WriteString(" GH_TOKEN: ${{ github.token }}\n") - } else { - cliVersion := resolveAgenticWorkflowsCLIVersion(c, workflowData) - - actionRepo := GitHubOrgRepo + "/actions/setup-cli" - actionRef := fmt.Sprintf("%s@%s", actionRepo, cliVersion) - if workflowData != nil { - if pinnedRef, err := getActionPinWithData(actionRepo, cliVersion, workflowData); err != nil { - mcpSetupGeneratorLog.Printf("Failed to resolve pinned setup-cli action reference for %s@%s: %v", actionRepo, cliVersion, err) - } else if pinnedRef != "" { - actionRef = pinnedRef - } - } - - effectiveToken := getEffectiveGitHubToken("") - yaml.WriteString(" - name: Install gh-aw extension\n") - fmt.Fprintf(yaml, " uses: %s\n", actionRef) - yaml.WriteString(" with:\n") - fmt.Fprintf(yaml, " version: '%s'\n", cliVersion) - fmt.Fprintf(yaml, " github-token: %s\n", effectiveToken) + cliVersion := resolveAgenticWorkflowsCLIVersion(c, workflowData) + effectiveToken := getEffectiveGitHubToken("") + installStep, err := generateGhAwSetupStep(ghAwSetupStepConfig{ + actionMode: c.actionMode, + cliVersion: cliVersion, + actionRepo: GitHubOrgRepo + "/actions/setup-cli", + fallbackActionRefTag: cliVersion, + workflowData: workflowData, + withFields: map[string]string{ + "github-token": effectiveToken, + }, + }) + if err != nil { + mcpSetupGeneratorLog.Printf("Failed to resolve pinned setup-cli action reference for %s@%s: %v", GitHubOrgRepo+"/actions/setup-cli", cliVersion, err) + } + for _, line := range installStep { + yaml.WriteString(line + "\n") } yaml.WriteString(" - name: Copy gh-aw binary for MCP server\n") yaml.WriteString(" run: |\n") diff --git a/pkg/workflow/runtime_step_generator.go b/pkg/workflow/runtime_step_generator.go index d88465939f4..8910bce4f44 100644 --- a/pkg/workflow/runtime_step_generator.go +++ b/pkg/workflow/runtime_step_generator.go @@ -56,22 +56,28 @@ func generateSetupStep(req *RuntimeRequirement) GitHubActionStep { runtimeStepGeneratorLog.Printf("Generating setup step for runtime: %s, version=%s, if=%s", runtime.ID, version, req.IfCondition) runtimeSetupLog.Printf("Generating setup step for runtime: %s, version=%s, if=%s", runtime.ID, version, req.IfCondition) - // In dev mode, install gh-aw from the checked-out source tree instead of - // using setup-cli (which installs released tags). - if runtime.ID == "gh-aw" && !IsRelease() { - step := GitHubActionStep{" - name: Build and install gh-aw CLI from source"} - if req.IfCondition != "" { - step = append(step, " if: "+req.IfCondition) + if runtime.ID == "gh-aw" { + if version == "" { + version = getDefaultGhAWRuntimeVersion() + } + + allExtraFields := make(map[string]string) + maps.Copy(allExtraFields, runtime.ExtraWithFields) + for k, v := range req.ExtraFields { + allExtraFields[k] = formatYAMLValue(v) + } + + step, err := generateGhAwSetupStep(ghAwSetupStepConfig{ + actionMode: actionModeForRuntimeSetup(IsRelease()), + ifCondition: req.IfCondition, + cliVersion: version, + actionRepo: runtime.ActionRepo, + fallbackActionRefTag: runtime.ActionVersion, + withFields: allExtraFields, + }) + if err != nil { + runtimeStepGeneratorLog.Printf("Failed to resolve pinned setup-cli action reference for %s@%s: %v", runtime.ActionRepo, version, err) } - step = append(step, - " run: |", - " gh extension remove gh-aw || true", - " make build", - " gh extension install .", - " gh aw version", - " env:", - " GH_TOKEN: ${{ github.token }}", - ) return step } @@ -166,3 +172,10 @@ func generateSetupStep(req *RuntimeRequirement) GitHubActionStep { return step } + +func actionModeForRuntimeSetup(isRelease bool) ActionMode { + if isRelease { + return ActionModeRelease + } + return ActionModeDev +} From 9271dd7f4441fcd59dd57cb4be4edc49bb98ea82 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 10:21:09 +0000 Subject: [PATCH 09/15] refactor: share gh-aw setup step generation across compiler paths Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/gh_aw_setup_steps.go | 8 +++++++- pkg/workflow/mcp_setup_generator.go | 5 +++-- pkg/workflow/runtime_step_generator.go | 2 ++ 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/workflow/gh_aw_setup_steps.go b/pkg/workflow/gh_aw_setup_steps.go index 64747b58ec6..3526e0c5c9b 100644 --- a/pkg/workflow/gh_aw_setup_steps.go +++ b/pkg/workflow/gh_aw_setup_steps.go @@ -33,14 +33,16 @@ func generateGhAwSetupStep(config ghAwSetupStepConfig) (GitHubActionStep, error) return step, nil } + // Pinning errors are non-fatal: we still emit a valid step with the fallback + // action reference so compilation and workflow execution can continue. actionRef, pinErr := resolveGhAwSetupActionRef(config) step := GitHubActionStep{ " - name: Install gh-aw extension", - " uses: " + actionRef, } if config.ifCondition != "" { step = append(step, " if: "+config.ifCondition) } + step = append(step, " uses: "+actionRef) step = append(step, " with:") step = append(step, fmt.Sprintf(" version: '%s'", config.cliVersion)) @@ -56,6 +58,10 @@ func generateGhAwSetupStep(config ghAwSetupStepConfig) (GitHubActionStep, error) return step, pinErr } +// resolveGhAwSetupActionRef resolves the setup-cli action reference in priority order: +// 1. Use workflow-aware pin resolution (getActionPinWithData) when WorkflowData exists. +// 2. Otherwise use the static pin table (getActionPin) when available. +// 3. Otherwise fall back to repo@tag, then repo with no ref as a final fallback. func resolveGhAwSetupActionRef(config ghAwSetupStepConfig) (string, error) { if config.workflowData != nil { actionRef := fmt.Sprintf("%s@%s", config.actionRepo, config.cliVersion) diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 543b57fc33e..e004a18fe89 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -180,10 +180,11 @@ func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, has cliVersion := resolveAgenticWorkflowsCLIVersion(c, workflowData) effectiveToken := getEffectiveGitHubToken("") + actionRepo := GitHubOrgRepo + "/actions/setup-cli" installStep, err := generateGhAwSetupStep(ghAwSetupStepConfig{ actionMode: c.actionMode, cliVersion: cliVersion, - actionRepo: GitHubOrgRepo + "/actions/setup-cli", + actionRepo: actionRepo, fallbackActionRefTag: cliVersion, workflowData: workflowData, withFields: map[string]string{ @@ -191,7 +192,7 @@ func generateAgenticWorkflowsInstallStep(c *Compiler, yaml *strings.Builder, has }, }) if err != nil { - mcpSetupGeneratorLog.Printf("Failed to resolve pinned setup-cli action reference for %s@%s: %v", GitHubOrgRepo+"/actions/setup-cli", cliVersion, err) + mcpSetupGeneratorLog.Printf("Failed to resolve pinned setup-cli action reference for %s@%s: %v", actionRepo, cliVersion, err) } for _, line := range installStep { yaml.WriteString(line + "\n") diff --git a/pkg/workflow/runtime_step_generator.go b/pkg/workflow/runtime_step_generator.go index 8910bce4f44..deaf2a9b9ae 100644 --- a/pkg/workflow/runtime_step_generator.go +++ b/pkg/workflow/runtime_step_generator.go @@ -62,7 +62,9 @@ func generateSetupStep(req *RuntimeRequirement) GitHubActionStep { } allExtraFields := make(map[string]string) + // runtime.ExtraWithFields are already YAML-formatted by runtime definitions. maps.Copy(allExtraFields, runtime.ExtraWithFields) + // req.ExtraFields come from user input and need YAML formatting. for k, v := range req.ExtraFields { allExtraFields[k] = formatYAMLValue(v) } From b6aaa737d23789a24bdf6be9ae9889ac887f48ca Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 10:55:44 +0000 Subject: [PATCH 10/15] chore: recompile lock workflows to use gh-aw setup steps helper Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 21 +++++------- .../workflows/agent-persona-explorer.lock.yml | 21 +++++------- .../workflows/api-consumption-report.lock.yml | 21 +++++------- .github/workflows/audit-workflows.lock.yml | 21 +++++------- .../aw-failure-investigator.lock.yml | 21 +++++------- .github/workflows/cloclo.lock.yml | 21 +++++------- .../workflows/copilot-token-audit.lock.yml | 21 +++++------- ...aily-agent-of-the-day-blog-writer.lock.yml | 21 +++++------- .../daily-agentrx-trace-optimizer.lock.yml | 21 +++++------- .../daily-cache-strategy-analyzer.lock.yml | 33 ++++++++----------- .../workflows/daily-cli-tools-tester.lock.yml | 21 +++++------- .../workflows/daily-firewall-report.lock.yml | 21 +++++------- .../daily-observability-report.lock.yml | 33 ++++++++----------- .../daily-rendering-scripts-verifier.lock.yml | 21 +++++------- .../daily-safe-output-optimizer.lock.yml | 21 +++++------- .../daily-security-observability.lock.yml | 21 +++++------- .../daily-subagent-optimizer.lock.yml | 21 +++++------- .github/workflows/deep-report.lock.yml | 21 +++++------- .github/workflows/dev-hawk.lock.yml | 21 +++++------- .../example-workflow-analyzer.lock.yml | 21 +++++------- .github/workflows/mcp-inspector.lock.yml | 23 +++++-------- .github/workflows/metrics-collector.lock.yml | 21 +++++------- .../prompt-clustering-analysis.lock.yml | 21 +++++------- .github/workflows/python-data-charts.lock.yml | 21 +++++------- .github/workflows/q.lock.yml | 21 +++++------- .github/workflows/safe-output-health.lock.yml | 21 +++++------- .github/workflows/security-review.lock.yml | 21 +++++------- .github/workflows/smoke-claude.lock.yml | 21 +++++------- .github/workflows/smoke-copilot-arm.lock.yml | 21 +++++------- .github/workflows/smoke-copilot.lock.yml | 21 +++++------- .../workflows/smoke-otel-backends.lock.yml | 2 +- .../workflows/static-analysis-report.lock.yml | 21 +++++------- .../weekly-blog-post-writer.lock.yml | 21 +++++------- .../workflows/workflow-normalizer.lock.yml | 21 +++++------- 34 files changed, 278 insertions(+), 443 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index c68feb2b651..eab24ab0f80 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -518,21 +518,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index d4356c0fc7c..5856ff7d711 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -518,21 +518,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index eb36a52a1c5..53077506412 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -555,21 +555,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 08ef36cdb7d..73617861312 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -575,21 +575,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index b1d56a7cfb9..1f419fd7a99 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -513,21 +513,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index c35bafd6d12..6e48ac77c5e 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -676,21 +676,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml index 547f28164b6..1ec3337f9bd 100644 --- a/.github/workflows/copilot-token-audit.lock.yml +++ b/.github/workflows/copilot-token-audit.lock.yml @@ -543,21 +543,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index ca1008ddb78..9be79ad4957 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -530,21 +530,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml index 12cf5c1c0e4..b1923f839e7 100644 --- a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml +++ b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml @@ -495,21 +495,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index 3e442fd7d07..8ef2941ce97 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -533,21 +533,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" @@ -1467,18 +1462,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_9ac5b8979c8a0edb_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_1a50961ef015ca97_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_9ac5b8979c8a0edb_EOF + GH_AW_MCP_CONFIG_1a50961ef015ca97_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_ab00480cd808f762_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_b490ad3160a76f71_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1489,11 +1484,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_ab00480cd808f762_EOF + GH_AW_MCP_CONFIG_b490ad3160a76f71_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_c9e0f595f3934d1a_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_53ff9ef4c606056d_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1503,7 +1498,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_c9e0f595f3934d1a_EOF + GH_AW_CODEX_SHELL_POLICY_53ff9ef4c606056d_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index ffc9efd9dd7..69310ac0036 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -497,21 +497,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index b997fbd9650..e0d13c066fb 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -545,21 +545,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 7d6c3eb3344..f80f2c96d5d 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -505,21 +505,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" @@ -1388,18 +1383,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_88b71e41b3f3c147_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_7fd1d4b52f87d41a_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_88b71e41b3f3c147_EOF + GH_AW_MCP_CONFIG_7fd1d4b52f87d41a_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_008a3125a9c302e6_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_b257cdd2d0d46070_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1410,11 +1405,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_008a3125a9c302e6_EOF + GH_AW_MCP_CONFIG_b257cdd2d0d46070_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_6d12449d26917f6e_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_6a31e3d8358dfc53_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1424,7 +1419,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_6d12449d26917f6e_EOF + GH_AW_CODEX_SHELL_POLICY_6a31e3d8358dfc53_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 4739cd1bed1..e0a394fa0e8 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -540,21 +540,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index fbcf02df47a..3a236518dfe 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -543,21 +543,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index e0b2b8dcaa4..b4d85815e6e 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -582,21 +582,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/daily-subagent-optimizer.lock.yml b/.github/workflows/daily-subagent-optimizer.lock.yml index 5ab22749975..38893df6909 100644 --- a/.github/workflows/daily-subagent-optimizer.lock.yml +++ b/.github/workflows/daily-subagent-optimizer.lock.yml @@ -528,21 +528,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 382bc1625ae..8ff179867d2 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -809,21 +809,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 96e2eb325b6..593ee1919d0 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -525,21 +525,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index b61aabaf577..029d5e4d007 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -500,21 +500,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 75f4de57889..99e2e3eaaaf 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -619,21 +619,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" docker.io/mcp/brave-search@sha256:ca96b8acb27d8cf601a8faef86a084602cffa41d8cb18caa1e29ba4d16989d22 ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 mcp/arxiv-mcp-server@sha256:6dc6bba6dfed97f4ad6eb8d23a5c98ef5b7fa6184937d54b2d675801cd9dd29e mcp/ast-grep:latest@sha256:5fc3f2e9dcf2c019e92662f608b8d89e12134ed6d91e6f5461de6efd506a1e72 mcp/context7@sha256:1174e6a29634a83b2be93ac1fefabf63265f498c02c72201fe3464e687dd8836 mcp/markitdown@sha256:1cef3bf502503310ed0884441874ccf6cdaac20136dc1179797fa048269dc4cb mcp/memory@sha256:db0c2db07a44b6797eba7a832b1bda142ffc899588aae82c92780cbb2252407f mcp/notion@sha256:4de8eb0de33402fcbd3740b4f4039918e4893155c7ea833c7a0c472001b88367 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f python:alpine@sha256:6f873e340e6786787a632c919ecfb1d2301eb33ccfbe9f0d0add16cbc0892116 - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" @@ -999,7 +994,7 @@ jobs: "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=core", "headers": { "DD_API_KEY": "\${DD_API_KEY}", - "DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}", + "DD_APPLICATION_KEY": "\${DD_APP_KEY}", "DD_SITE": "\${DD_SITE}" }, "tools": [ diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 7e19ed32e83..439f3c973fb 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -526,21 +526,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 00100abc5bb..fa336c8fd45 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -588,21 +588,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index ad9de5cae66..261a55f2199 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -541,21 +541,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 1e2184f385c..324ccba561a 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -593,21 +593,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 6a9de75ff30..d8a0c16ee5e 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -534,21 +534,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 7c99ddb0286..e3b9ff83f04 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -554,21 +554,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 3f7f46b51a9..cdb58483c66 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1000,21 +1000,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index e9ed2e836c1..64f788c7006 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -631,21 +631,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 584b99a283c..dae56d21c35 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -693,21 +693,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml index 89ae744243e..41b1154bea1 100644 --- a/.github/workflows/smoke-otel-backends.lock.yml +++ b/.github/workflows/smoke-otel-backends.lock.yml @@ -773,7 +773,7 @@ jobs: "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=core", "headers": { "DD_API_KEY": "\${DD_API_KEY}", - "DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}", + "DD_APPLICATION_KEY": "\${DD_APP_KEY}", "DD_SITE": "\${DD_SITE}" }, "tools": [ diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 3180f01861d..c37e85f2cac 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -548,21 +548,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index b6cb5915d59..0a15770fe3a 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -523,21 +523,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 029cbc07703..a79e0274ad7 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -495,21 +495,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove gh-aw || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw command is already available (extension or standalone binary) - if gh aw --version >/dev/null 2>&1; then - echo "gh-aw command already available, using existing install" - # If installed as a managed extension, attempt best-effort upgrade - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]])'; then - gh extension upgrade gh-aw || true - fi - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" From 6492da01181e6390b638cd71ca1ac379649306e6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 13:32:39 +0000 Subject: [PATCH 11/15] fix: remove aw extension with force in gh-aw setup helper Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../workflows/agent-performance-analyzer.lock.yml | 2 +- .github/workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/api-consumption-report.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 2 +- .github/workflows/aw-failure-investigator.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .github/workflows/copilot-token-audit.lock.yml | 4 ++-- .github/workflows/copilot-token-optimizer.lock.yml | 2 +- .../daily-agent-of-the-day-blog-writer.lock.yml | 2 +- .../daily-agentrx-trace-optimizer.lock.yml | 2 +- .../daily-cache-strategy-analyzer.lock.yml | 14 +++++++------- .github/workflows/daily-cli-tools-tester.lock.yml | 2 +- .github/workflows/daily-firewall-report.lock.yml | 2 +- .../workflows/daily-observability-report.lock.yml | 14 +++++++------- .../daily-rendering-scripts-verifier.lock.yml | 2 +- .../workflows/daily-safe-output-optimizer.lock.yml | 2 +- .../daily-security-observability.lock.yml | 2 +- .../workflows/daily-subagent-optimizer.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .../workflows/example-workflow-analyzer.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/metrics-collector.lock.yml | 2 +- .github/workflows/pr-sous-chef.lock.yml | 2 +- .../workflows/prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/python-data-charts.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .github/workflows/security-review.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/smoke-otel-backends.lock.yml | 2 +- .github/workflows/static-analysis-report.lock.yml | 4 ++-- .github/workflows/weekly-blog-post-writer.lock.yml | 2 +- .github/workflows/workflow-normalizer.lock.yml | 2 +- pkg/workflow/gh_aw_setup_steps.go | 2 +- pkg/workflow/runtime_gh_aw_test.go | 2 +- .../smoke-copilot.golden | 2 +- 39 files changed, 53 insertions(+), 53 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index eab24ab0f80..363dbdce80f 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -520,7 +520,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 5856ff7d711..49d49f56da4 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -520,7 +520,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index 53077506412..151569039c1 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -557,7 +557,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 73617861312..73d171637f1 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -577,7 +577,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index 1f419fd7a99..e047b2a14bf 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -515,7 +515,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 6e48ac77c5e..8a301ae484d 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -678,7 +678,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml index 1ec3337f9bd..1fe291ddc69 100644 --- a/.github/workflows/copilot-token-audit.lock.yml +++ b/.github/workflows/copilot-token-audit.lock.yml @@ -446,7 +446,7 @@ jobs: BINARY=dist/gh-aw-linux-amd64 - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version @@ -545,7 +545,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/copilot-token-optimizer.lock.yml b/.github/workflows/copilot-token-optimizer.lock.yml index 5e98562af1f..90975c47bc7 100644 --- a/.github/workflows/copilot-token-optimizer.lock.yml +++ b/.github/workflows/copilot-token-optimizer.lock.yml @@ -415,7 +415,7 @@ jobs: persist-credentials: false - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index 9be79ad4957..54ac6519007 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -532,7 +532,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml index b1923f839e7..68cf9782d1d 100644 --- a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml +++ b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml @@ -497,7 +497,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index 8ef2941ce97..52ea2c6e3f4 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -535,7 +535,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version @@ -1462,18 +1462,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_1a50961ef015ca97_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_d3e660ae75f7cdc6_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_1a50961ef015ca97_EOF + GH_AW_MCP_CONFIG_d3e660ae75f7cdc6_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b490ad3160a76f71_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_1aee9a3cdae8a583_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1484,11 +1484,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_b490ad3160a76f71_EOF + GH_AW_MCP_CONFIG_1aee9a3cdae8a583_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_53ff9ef4c606056d_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_7ab9c3e9f4216a29_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1498,7 +1498,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_53ff9ef4c606056d_EOF + GH_AW_CODEX_SHELL_POLICY_7ab9c3e9f4216a29_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 69310ac0036..ef9f95a1622 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -499,7 +499,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index e0d13c066fb..86100895176 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -547,7 +547,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index f80f2c96d5d..bc617efa4ff 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -507,7 +507,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version @@ -1383,18 +1383,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_7fd1d4b52f87d41a_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_cdddcb73e2caaabb_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_7fd1d4b52f87d41a_EOF + GH_AW_MCP_CONFIG_cdddcb73e2caaabb_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_b257cdd2d0d46070_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_123b76d5f01a4b00_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1405,11 +1405,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_b257cdd2d0d46070_EOF + GH_AW_MCP_CONFIG_123b76d5f01a4b00_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_6a31e3d8358dfc53_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_234c867b202fb496_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1419,7 +1419,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_6a31e3d8358dfc53_EOF + GH_AW_CODEX_SHELL_POLICY_234c867b202fb496_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index e0a394fa0e8..6f8bfbb61bc 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -542,7 +542,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 3a236518dfe..fd0578c5b7b 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -545,7 +545,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index b4d85815e6e..c20d6b255fc 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -584,7 +584,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/daily-subagent-optimizer.lock.yml b/.github/workflows/daily-subagent-optimizer.lock.yml index 38893df6909..8bb635f40a0 100644 --- a/.github/workflows/daily-subagent-optimizer.lock.yml +++ b/.github/workflows/daily-subagent-optimizer.lock.yml @@ -530,7 +530,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 8ff179867d2..399e24bd11e 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -811,7 +811,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 593ee1919d0..efa1aeb0ecf 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -527,7 +527,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 029d5e4d007..15c83e7012e 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -502,7 +502,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 99e2e3eaaaf..f330c165687 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -621,7 +621,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" docker.io/mcp/brave-search@sha256:ca96b8acb27d8cf601a8faef86a084602cffa41d8cb18caa1e29ba4d16989d22 ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 mcp/arxiv-mcp-server@sha256:6dc6bba6dfed97f4ad6eb8d23a5c98ef5b7fa6184937d54b2d675801cd9dd29e mcp/ast-grep:latest@sha256:5fc3f2e9dcf2c019e92662f608b8d89e12134ed6d91e6f5461de6efd506a1e72 mcp/context7@sha256:1174e6a29634a83b2be93ac1fefabf63265f498c02c72201fe3464e687dd8836 mcp/markitdown@sha256:1cef3bf502503310ed0884441874ccf6cdaac20136dc1179797fa048269dc4cb mcp/memory@sha256:db0c2db07a44b6797eba7a832b1bda142ffc899588aae82c92780cbb2252407f mcp/notion@sha256:4de8eb0de33402fcbd3740b4f4039918e4893155c7ea833c7a0c472001b88367 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f python:alpine@sha256:6f873e340e6786787a632c919ecfb1d2301eb33ccfbe9f0d0add16cbc0892116 - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 439f3c973fb..52f7af76697 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -528,7 +528,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 9ad04c0458c..c235761730a 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -409,7 +409,7 @@ jobs: git -c "http.extraheader=Authorization: Basic ${header}" fetch origin '+refs/pull/*/head:refs/remotes/origin/pull/*/head' - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index fa336c8fd45..f5d31555de4 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -590,7 +590,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 261a55f2199..25a68aa5163 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -543,7 +543,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 324ccba561a..54d963a8001 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -595,7 +595,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index d8a0c16ee5e..4150e6710af 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -536,7 +536,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index e3b9ff83f04..987c5cfe51d 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -556,7 +556,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index cdb58483c66..1b923317107 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1002,7 +1002,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 64f788c7006..2defb47f9b5 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -633,7 +633,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index dae56d21c35..bb2bd6064c4 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -695,7 +695,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml index 41b1154bea1..89ae744243e 100644 --- a/.github/workflows/smoke-otel-backends.lock.yml +++ b/.github/workflows/smoke-otel-backends.lock.yml @@ -773,7 +773,7 @@ jobs: "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=core", "headers": { "DD_API_KEY": "\${DD_API_KEY}", - "DD_APPLICATION_KEY": "\${DD_APP_KEY}", + "DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}", "DD_SITE": "\${DD_SITE}" }, "tools": [ diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index c37e85f2cac..aa64a441c6a 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -445,7 +445,7 @@ jobs: BINARY=dist/gh-aw-linux-amd64 - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version @@ -550,7 +550,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 0a15770fe3a..43b5be13821 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -525,7 +525,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index a79e0274ad7..305372f8e76 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -497,7 +497,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version diff --git a/pkg/workflow/gh_aw_setup_steps.go b/pkg/workflow/gh_aw_setup_steps.go index 3526e0c5c9b..6344611f98f 100644 --- a/pkg/workflow/gh_aw_setup_steps.go +++ b/pkg/workflow/gh_aw_setup_steps.go @@ -23,7 +23,7 @@ func generateGhAwSetupStep(config ghAwSetupStepConfig) (GitHubActionStep, error) } step = append(step, " run: |", - " gh extension remove gh-aw || true", + " gh extension remove aw --force || true", " make build", " gh extension install .", " gh aw version", diff --git a/pkg/workflow/runtime_gh_aw_test.go b/pkg/workflow/runtime_gh_aw_test.go index 9737e5f7383..3e581344016 100644 --- a/pkg/workflow/runtime_gh_aw_test.go +++ b/pkg/workflow/runtime_gh_aw_test.go @@ -109,7 +109,7 @@ func TestGenerateRuntimeSetupSteps_GhAw_DevBuildsFromSource(t *testing.T) { content := strings.Join(steps[0], "\n") assert.Contains(t, content, "Build and install gh-aw CLI from source") - assert.Contains(t, content, "gh extension remove gh-aw || true") + assert.Contains(t, content, "gh extension remove aw --force || true") assert.Contains(t, content, "make build") assert.Contains(t, content, "gh extension install .") assert.Contains(t, content, "gh aw version") diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index da70b70cc3c..a9cdf7b0362 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -518,7 +518,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9 ghcr.io/github/github-mcp-server:v1.0.4 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp - name: Build and install gh-aw CLI from source run: | - gh extension remove gh-aw || true + gh extension remove aw --force || true make build gh extension install . gh aw version From 9196fedb479944ff2d5668e6bc49e9b2b20ca2fa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 13:37:22 +0000 Subject: [PATCH 12/15] chore: remove unrelated lockfile drift from recompilation Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../workflows/daily-cache-strategy-analyzer.lock.yml | 12 ++++++------ .../workflows/daily-observability-report.lock.yml | 12 ++++++------ .github/workflows/smoke-otel-backends.lock.yml | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index 52ea2c6e3f4..1d9d0cbbe7d 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -1462,18 +1462,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_d3e660ae75f7cdc6_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_1a50961ef015ca97_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_d3e660ae75f7cdc6_EOF + GH_AW_MCP_CONFIG_1a50961ef015ca97_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_1aee9a3cdae8a583_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_b490ad3160a76f71_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1484,11 +1484,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_1aee9a3cdae8a583_EOF + GH_AW_MCP_CONFIG_b490ad3160a76f71_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_7ab9c3e9f4216a29_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_53ff9ef4c606056d_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1498,7 +1498,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_7ab9c3e9f4216a29_EOF + GH_AW_CODEX_SHELL_POLICY_53ff9ef4c606056d_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index bc617efa4ff..b428f5cbf2d 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1383,18 +1383,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_cdddcb73e2caaabb_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_7fd1d4b52f87d41a_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_cdddcb73e2caaabb_EOF + GH_AW_MCP_CONFIG_7fd1d4b52f87d41a_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_123b76d5f01a4b00_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_b257cdd2d0d46070_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1405,11 +1405,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_123b76d5f01a4b00_EOF + GH_AW_MCP_CONFIG_b257cdd2d0d46070_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_234c867b202fb496_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_6a31e3d8358dfc53_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1419,7 +1419,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_234c867b202fb496_EOF + GH_AW_CODEX_SHELL_POLICY_6a31e3d8358dfc53_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml index 89ae744243e..41b1154bea1 100644 --- a/.github/workflows/smoke-otel-backends.lock.yml +++ b/.github/workflows/smoke-otel-backends.lock.yml @@ -773,7 +773,7 @@ jobs: "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=core", "headers": { "DD_API_KEY": "\${DD_API_KEY}", - "DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}", + "DD_APPLICATION_KEY": "\${DD_APP_KEY}", "DD_SITE": "\${DD_SITE}" }, "tools": [ From 1f3e42552e6b04f7f945b45e475c8bc818eec427 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 13:42:57 +0000 Subject: [PATCH 13/15] chore: outline merge and recompile plan Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/smoke-otel-backends.lock.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index f330c165687..2fc7c917c17 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -994,7 +994,7 @@ jobs: "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=core", "headers": { "DD_API_KEY": "\${DD_API_KEY}", - "DD_APPLICATION_KEY": "\${DD_APP_KEY}", + "DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}", "DD_SITE": "\${DD_SITE}" }, "tools": [ diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml index 41b1154bea1..89ae744243e 100644 --- a/.github/workflows/smoke-otel-backends.lock.yml +++ b/.github/workflows/smoke-otel-backends.lock.yml @@ -773,7 +773,7 @@ jobs: "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=core", "headers": { "DD_API_KEY": "\${DD_API_KEY}", - "DD_APPLICATION_KEY": "\${DD_APP_KEY}", + "DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}", "DD_SITE": "\${DD_SITE}" }, "tools": [ From 2cddbab2562f7028c922dc4e90cc3b34d8e2aebc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 May 2026 13:48:02 +0000 Subject: [PATCH 14/15] chore: merge main and recompile lock outputs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../daily-cache-strategy-analyzer.lock.yml | 30 +++++++++---------- .../daily-observability-report.lock.yml | 30 +++++++++---------- .../duplicate-code-detector.lock.yml | 20 ++++++------- .github/workflows/spec-librarian.lock.yml | 6 ++-- 4 files changed, 41 insertions(+), 45 deletions(-) diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index f98b315ff5f..b62d9e78155 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -533,18 +533,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" @@ -1465,18 +1463,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_d72f2e6a4448437a_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_845ec5ddedb0d907_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_d72f2e6a4448437a_EOF + GH_AW_MCP_CONFIG_845ec5ddedb0d907_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_730fc89480c5d282_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_447bebc93aa2b1a0_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1487,11 +1485,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_730fc89480c5d282_EOF + GH_AW_MCP_CONFIG_447bebc93aa2b1a0_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_865f7e42d33f7113_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_44098e6cd11f946e_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1501,7 +1499,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_865f7e42d33f7113_EOF + GH_AW_CODEX_SHELL_POLICY_44098e6cd11f946e_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 380b76a2dc5..283353163c4 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -505,18 +505,16 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.49 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.49 ghcr.io/github/gh-aw-firewall/squid:0.25.49 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f - - name: Install gh-aw extension + - name: Build and install gh-aw CLI from source + run: | + gh extension remove aw --force || true + make build + gh extension install . + gh aw version env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} + - name: Copy gh-aw binary for MCP server run: | - # Check if gh-aw extension is already installed - if gh extension list | grep -qE '(^|[[:space:]]|/)gh-aw($|[[:space:]]|$)'; then - echo "gh-aw extension already installed, upgrading..." - gh extension upgrade gh-aw || true - else - echo "Installing gh-aw extension..." - gh extension install github/gh-aw - fi gh aw --version # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization mkdir -p "${RUNNER_TEMP}/gh-aw" @@ -1386,18 +1384,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_8a512fcb3f800e43_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_41cb57481d6ac09e_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_8a512fcb3f800e43_EOF + GH_AW_MCP_CONFIG_41cb57481d6ac09e_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_bbebc01e8517f794_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_24d55f0646f3099f_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1408,11 +1406,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_bbebc01e8517f794_EOF + GH_AW_MCP_CONFIG_24d55f0646f3099f_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_241bcc0f4f4c6404_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_9f82049d79241df0_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1422,7 +1420,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_241bcc0f4f4c6404_EOF + GH_AW_CODEX_SHELL_POLICY_9f82049d79241df0_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 6bc5beb107f..993496f63c8 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -218,7 +218,7 @@ jobs: cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_8dcabe35d6785795_EOF' - Tools: create_issue, missing_tool, missing_data, noop + Tools: create_issue(max:3), missing_tool, missing_data, noop GH_AW_PROMPT_8dcabe35d6785795_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" @@ -510,14 +510,14 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_eef6781d680527d3_EOF' - {"create_issue":{"assignees":["copilot"],"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} + {"create_issue":{"assignees":["copilot"],"expires":48,"group":true,"labels":["code-quality","automated-analysis","cookie"],"max":3,"title_prefix":"[duplicate-code] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} GH_AW_SAFE_OUTPUTS_CONFIG_eef6781d680527d3_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | { "description_suffixes": { - "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned." + "create_issue": " CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[duplicate-code] \". Labels [\"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added. Assignees [\"copilot\"] will be automatically assigned." }, "repo_params": {}, "dynamic_tools": [] @@ -1384,18 +1384,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_f88cb462a26159af_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_6fa573e98e0f7b23_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_f88cb462a26159af_EOF + GH_AW_MCP_CONFIG_6fa573e98e0f7b23_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_bf50992278c59621_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_c0234d9356ee6886_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1406,11 +1406,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_bf50992278c59621_EOF + GH_AW_MCP_CONFIG_c0234d9356ee6886_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_5ec8074adfe7d7fa_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_ba49ebc278636ac8_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1420,7 +1420,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_5ec8074adfe7d7fa_EOF + GH_AW_CODEX_SHELL_POLICY_ba49ebc278636ac8_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } @@ -1590,7 +1590,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.grafana.net,*.sentry.io,172.30.0.1,api.github.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,chatgpt.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"copilot\"],\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"copilot\"],\"expires\":48,\"group\":true,\"labels\":[\"code-quality\",\"automated-analysis\",\"cookie\"],\"max\":3,\"title_prefix\":\"[duplicate-code] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" GH_AW_ASSIGN_COPILOT: "true" GH_AW_ASSIGN_TO_AGENT_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/spec-librarian.lock.yml b/.github/workflows/spec-librarian.lock.yml index 01973d5ec4d..8fc0af2c95c 100644 --- a/.github/workflows/spec-librarian.lock.yml +++ b/.github/workflows/spec-librarian.lock.yml @@ -511,14 +511,14 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_f5aa6228691f0772_EOF' - {"create_issue":{"assignees":["copilot"],"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} + {"create_issue":{"assignees":["copilot"],"close_older_issues":true,"expires":72,"labels":["pkg-specifications","review","automation"],"max":1,"title_prefix":"[spec-librarian] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} GH_AW_SAFE_OUTPUTS_CONFIG_f5aa6228691f0772_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | { "description_suffixes": { - "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned." + "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[spec-librarian] \". Labels [\"pkg-specifications\" \"review\" \"automation\"] will be automatically added. Assignees [\"copilot\"] will be automatically assigned." }, "repo_params": {}, "dynamic_tools": [] @@ -1579,7 +1579,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.grafana.net,*.sentry.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"copilot\"],\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"copilot\"],\"close_older_issues\":true,\"expires\":72,\"labels\":[\"pkg-specifications\",\"review\",\"automation\"],\"max\":1,\"title_prefix\":\"[spec-librarian] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" GH_AW_ASSIGN_COPILOT: "true" GH_AW_ASSIGN_TO_AGENT_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: From d5faf2dd0e8502de8ad8cc776846472acaf7b512 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 19 May 2026 14:01:22 +0000 Subject: [PATCH 15/15] Add changeset --- .changeset/patch-setup-gh-aw-install-idempotency.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/patch-setup-gh-aw-install-idempotency.md diff --git a/.changeset/patch-setup-gh-aw-install-idempotency.md b/.changeset/patch-setup-gh-aw-install-idempotency.md new file mode 100644 index 00000000000..44697e623fc --- /dev/null +++ b/.changeset/patch-setup-gh-aw-install-idempotency.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Make `setup-gh-aw` idempotent when `gh-aw` is already installed, so existing `gh aw` commands are reused instead of failing on extension conflicts.