From 7f31775d166d3a0d3f4a2d84226575f79dd00e22 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 23:54:30 +0000 Subject: [PATCH 1/7] docs: expand central-repo-ops with agentic factory section Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/changeset.lock.yml | 5 +++++ .github/workflows/craft.lock.yml | 5 +++++ .github/workflows/daily-safeoutputs-git-simulator.lock.yml | 1 - .github/workflows/design-decision-gate.lock.yml | 5 +++++ .github/workflows/mergefest.lock.yml | 5 +++++ .github/workflows/necromancer.lock.yml | 5 +++++ .github/workflows/poem-bot.lock.yml | 5 +++++ .github/workflows/pr-sous-chef.lock.yml | 5 +++++ .github/workflows/smoke-claude.lock.yml | 5 +++++ .github/workflows/smoke-update-cross-repo-pr.lock.yml | 5 +++++ .github/workflows/tidy.lock.yml | 5 +++++ 11 files changed, 50 insertions(+), 1 deletion(-) diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 297ca263df7..d4cc0e16a72 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -642,6 +642,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 03c9cd64a8e..3ca3964be3f 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -668,6 +668,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml index 6d7eb70fee9..725c85f3011 100644 --- a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml +++ b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml @@ -691,7 +691,6 @@ jobs: "defaultMax": 1, "fields": { "branch": { - "required": true, "type": "string", "sanitize": true, "maxLength": 256 diff --git a/.github/workflows/design-decision-gate.lock.yml b/.github/workflows/design-decision-gate.lock.yml index c9ae9c15040..c29289f8c36 100644 --- a/.github/workflows/design-decision-gate.lock.yml +++ b/.github/workflows/design-decision-gate.lock.yml @@ -707,6 +707,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 3606604b78c..04d3887eafe 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -645,6 +645,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/necromancer.lock.yml b/.github/workflows/necromancer.lock.yml index 7654e145301..b24e144ea3f 100644 --- a/.github/workflows/necromancer.lock.yml +++ b/.github/workflows/necromancer.lock.yml @@ -681,6 +681,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 9cd8daecaea..71daf2ab9da 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -924,6 +924,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 36e2f8d58d1..9c15ba75e8e 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -664,6 +664,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 90e281a79ec..42adfa5773a 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1164,6 +1164,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index ce024421e68..13eb2d2c98b 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -767,6 +767,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 019a2096f05..f87b9a75a39 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -704,6 +704,11 @@ jobs: "push_to_pull_request_branch": { "defaultMax": 1, "fields": { + "branch": { + "type": "string", + "sanitize": true, + "maxLength": 256 + }, "message": { "required": true, "type": "string", From adc17793272f0a3bd0be1bd899b39331a6aadea4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 23:56:02 +0000 Subject: [PATCH 2/7] docs: expand central-repo-ops with agentic factory section Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../src/content/docs/agent-factory-status.mdx | 2 +- .../content/docs/patterns/central-repo-ops.md | 80 +++++++++++++++++++ 2 files changed, 81 insertions(+), 1 deletion(-) diff --git a/docs/src/content/docs/agent-factory-status.mdx b/docs/src/content/docs/agent-factory-status.mdx index eec53c650e8..8aeeb49df2b 100644 --- a/docs/src/content/docs/agent-factory-status.mdx +++ b/docs/src/content/docs/agent-factory-status.mdx @@ -57,7 +57,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn, | [Daily Agent of the Day Blog Writer](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-agent-of-the-day-blog-writer.md) | copilot | [![Daily Agent of the Day Blog Writer](https://github.com/github/gh-aw/actions/workflows/daily-agent-of-the-day-blog-writer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-agent-of-the-day-blog-writer.lock.yml) | - | - | | [Daily Agentic Workflow AIC Usage Audit](https://github.com/github/gh-aw/blob/main/.github/workflows/agentic-token-audit.md) | copilot | [![Daily Agentic Workflow AIC Usage Audit](https://github.com/github/gh-aw/actions/workflows/agentic-token-audit.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/agentic-token-audit.lock.yml) | `daily around 12:00 on weekdays` | - | | [Daily AgentRx Trace Optimizer](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-agentrx-trace-optimizer.md) | claude | [![Daily AgentRx Trace Optimizer](https://github.com/github/gh-aw/actions/workflows/daily-agentrx-trace-optimizer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-agentrx-trace-optimizer.lock.yml) | - | - | -| [Daily AIC Consumption Report (Sentry OTel)](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-token-consumption-report.md) | claude | [![Daily AIC Consumption Report (Sentry OTel)](https://github.com/github/gh-aw/actions/workflows/daily-token-consumption-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-token-consumption-report.lock.yml) | - | - | +| [Daily AIC Consumption Report (Sentry + Grafana OTel)](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-token-consumption-report.md) | claude | [![Daily AIC Consumption Report (Sentry + Grafana OTel)](https://github.com/github/gh-aw/actions/workflows/daily-token-consumption-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-token-consumption-report.lock.yml) | - | - | | [Daily Ambient Context Optimizer](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-ambient-context-optimizer.md) | copilot | [![Daily Ambient Context Optimizer](https://github.com/github/gh-aw/actions/workflows/daily-ambient-context-optimizer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-ambient-context-optimizer.lock.yml) | - | - | | [Daily AstroStyleLite Markdown Spellcheck](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-astrostylelite-markdown-spellcheck.md) | claude | [![Daily AstroStyleLite Markdown Spellcheck](https://github.com/github/gh-aw/actions/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml) | - | - | | [Daily AW Cross-Repo Compile Check](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-aw-cross-repo-compile-check.md) | claude | [![Daily AW Cross-Repo Compile Check](https://github.com/github/gh-aw/actions/workflows/daily-aw-cross-repo-compile-check.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-aw-cross-repo-compile-check.lock.yml) | - | - | diff --git a/docs/src/content/docs/patterns/central-repo-ops.md b/docs/src/content/docs/patterns/central-repo-ops.md index 66d10785525..0dfc21acc15 100644 --- a/docs/src/content/docs/patterns/central-repo-ops.md +++ b/docs/src/content/docs/patterns/central-repo-ops.md @@ -88,9 +88,89 @@ flowchart LR Useful for component-based architectures where multiple teams need a shared visibility layer, cross-project initiatives, or aggregating metrics from distributed repositories. See [Cross-Repo Issue Tracking](/gh-aw/examples/multi-repo/issue-tracking/) for a complete example. +## The Central Repo as an Agentic Factory + +Beyond dispatching work and aggregating events, the central repository can serve as a **packaging envelope** for your entire suite of agentic processes. A single repository holds all the workflows your organization needs. Drop it into a new org, configure the required secrets, and it immediately starts running — no workflow reconstruction required. + +This makes the central repo an **agentic factory**: a self-contained, production-ready bundle that any team can instantiate with minimal effort. + +### Template Repository Structure + +A well-structured agentic factory repository organizes its workflows, shared components, and an `aw.yml` manifest together: + +``` +agentic-workflows/ +├── aw.yml # package manifest +├── README.md # setup guide with secrets checklist +├── .github/ +│ └── workflows/ +│ ├── rollout.md # org-wide rollout orchestrator +│ ├── triage.md # cross-repo issue triage +│ ├── quality-monitor.md # code quality monitoring +│ └── dependabot.md # dependency management +└── shared/ + ├── mcp-config.md # shared MCP server definitions + └── safety-policy.md # shared safe-outputs policies +``` + +Mark the repository as a [GitHub template repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-template-repository) so anyone in the organization can instantiate a personal copy in one click without carrying over existing workflow runs or secrets. + +### Secrets Checklist + +Document the secrets required to activate all workflows in `README.md`. A complete factory typically needs: + +| Secret | Purpose | +| ------ | ------- | +| `ANTHROPIC_API_KEY` / `GEMINI_API_KEY` | AI engine for agent runs | +| `GH_AW_READ_ORG_TOKEN` | Read org metadata and repository list | +| `GH_AW_CROSS_REPO_PAT` | Write safe outputs to target repositories | +| `ORG_REPO_CHECKOUT_TOKEN` | Check out target repositories for workers | + +> [!TIP] +> Use a GitHub App rather than PATs for cross-repository tokens where possible. GitHub Apps provide automatic token rotation and fine-grained per-repository scoping. See [Authentication](/gh-aw/reference/auth/) for setup. + +### Activation: Drop In, Configure, Run + +1. **Instantiate** — Create a new repository from the factory template in the target org (or fork it for independent configuration). +2. **Configure** — Add the required secrets to the new repository's **Settings → Secrets → Actions**. +3. **Enable Actions** — Confirm GitHub Actions is enabled for the repository and that scheduled workflows are not paused. +4. **Verify** — Trigger a `workflow_dispatch` on one workflow to confirm end-to-end connectivity before the first scheduled run fires. + +Once secrets are in place, all scheduled workflows activate automatically and the factory is producing. + +### Distribution via `aw.yml` + +Add an `aw.yml` manifest to make the factory installable as a versioned package. Teams can then install individual workflows from the factory rather than copying the whole repository: + +```yaml +name: Acme Org Agentic Factory +emoji: 🏭 +description: Standard agentic workflows for Acme org repositories +min-version: v0.40.0 +includes: + - .github/workflows/rollout.md + - .github/workflows/triage.md + - .github/workflows/quality-monitor.md + - .github/workflows/dependabot.md + - shared/mcp-config.md + - shared/safety-policy.md +``` + +A consuming repository installs a specific workflow: + +```bash +gh aw add acme-org/agentic-workflows/triage@v1.0.0 +``` + +Pin consumers to a release tag for stability. As the factory evolves, run `gh aw update` in consuming repositories to pull in upstream changes with a 3-way merge that preserves local edits. + +See [Sharing Workflows in the Organization](/gh-aw/practices/sharing-workflows/) for versioning strategy, governance recommendations, and the recommended enterprise pattern for a central `agentic-workflows` repository. + ## Related Documentation - [MultiRepoOps](/gh-aw/patterns/multi-repo-ops/) — Side repo and downstream sync patterns +- [Sharing Workflows in the Organization](/gh-aw/practices/sharing-workflows/) — Versioning, governance, and enterprise patterns +- [Package Manifest (aw.yml)](/gh-aw/reference/aw-yml-package-manifest/) — Manifest format for installable packages - [Dependabot Rollout](/gh-aw/examples/multi-repo/dependabot-rollout/) — End-to-end org-wide rollout example - [Cross-Repo Issue Tracking](/gh-aw/examples/multi-repo/issue-tracking/) — Aggregated issue tracking example - [Cross-Repository Safe Outputs](/gh-aw/reference/cross-repository/) — Configuration reference From 603453f4ea9ea29414c65303996b0f5dda08dea0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 00:12:00 +0000 Subject: [PATCH 3/7] docs: make aw.yml optional in agentic factory section Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../content/docs/patterns/central-repo-ops.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/src/content/docs/patterns/central-repo-ops.md b/docs/src/content/docs/patterns/central-repo-ops.md index 0dfc21acc15..1010e974c8e 100644 --- a/docs/src/content/docs/patterns/central-repo-ops.md +++ b/docs/src/content/docs/patterns/central-repo-ops.md @@ -96,28 +96,28 @@ This makes the central repo an **agentic factory**: a self-contained, production ### Template Repository Structure -A well-structured agentic factory repository organizes its workflows, shared components, and an `aw.yml` manifest together: +A factory repository is self-contained: the `README.md` is the activation manual, and the workflows under `.github/workflows/` are ready to run once secrets are configured. A `shared/` directory holds reusable components, and an `aw.yml` manifest can be added later to enable `gh aw add` installs — but the factory works without one. ``` agentic-workflows/ -├── aw.yml # package manifest -├── README.md # setup guide with secrets checklist +├── README.md # activation manual (secrets, setup, verify) ├── .github/ │ └── workflows/ │ ├── rollout.md # org-wide rollout orchestrator │ ├── triage.md # cross-repo issue triage │ ├── quality-monitor.md # code quality monitoring │ └── dependabot.md # dependency management -└── shared/ - ├── mcp-config.md # shared MCP server definitions - └── safety-policy.md # shared safe-outputs policies +├── shared/ +│ ├── mcp-config.md # shared MCP server definitions +│ └── safety-policy.md # shared safe-outputs policies +└── aw.yml # optional: enables gh aw add installs ``` Mark the repository as a [GitHub template repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-template-repository) so anyone in the organization can instantiate a personal copy in one click without carrying over existing workflow runs or secrets. ### Secrets Checklist -Document the secrets required to activate all workflows in `README.md`. A complete factory typically needs: +The `README.md` should include a complete secrets checklist so anyone instantiating the factory knows exactly what to configure. A typical factory needs: | Secret | Purpose | | ------ | ------- | @@ -138,9 +138,9 @@ Document the secrets required to activate all workflows in `README.md`. A comple Once secrets are in place, all scheduled workflows activate automatically and the factory is producing. -### Distribution via `aw.yml` +### Optional: Distribution via `aw.yml` -Add an `aw.yml` manifest to make the factory installable as a versioned package. Teams can then install individual workflows from the factory rather than copying the whole repository: +Adding an `aw.yml` manifest is optional but enables teams to install individual workflows from the factory using `gh aw add` rather than cloning or forking the whole repository: ```yaml name: Acme Org Agentic Factory From 07bb1947683d29bfe3bb6f27180e48b41a4badf9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 00:43:12 +0000 Subject: [PATCH 4/7] docs: move shared components under .github/workflows/shared Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- docs/src/content/docs/patterns/central-repo-ops.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/src/content/docs/patterns/central-repo-ops.md b/docs/src/content/docs/patterns/central-repo-ops.md index 1010e974c8e..63c91d266d3 100644 --- a/docs/src/content/docs/patterns/central-repo-ops.md +++ b/docs/src/content/docs/patterns/central-repo-ops.md @@ -96,7 +96,7 @@ This makes the central repo an **agentic factory**: a self-contained, production ### Template Repository Structure -A factory repository is self-contained: the `README.md` is the activation manual, and the workflows under `.github/workflows/` are ready to run once secrets are configured. A `shared/` directory holds reusable components, and an `aw.yml` manifest can be added later to enable `gh aw add` installs — but the factory works without one. +A factory repository is self-contained: the `README.md` is the activation manual, and the workflows under `.github/workflows/` are ready to run once secrets are configured. An `aw.yml` manifest can be added later to enable `gh aw add` installs — but the factory works without one. ``` agentic-workflows/ @@ -106,10 +106,10 @@ agentic-workflows/ │ ├── rollout.md # org-wide rollout orchestrator │ ├── triage.md # cross-repo issue triage │ ├── quality-monitor.md # code quality monitoring -│ └── dependabot.md # dependency management -├── shared/ -│ ├── mcp-config.md # shared MCP server definitions -│ └── safety-policy.md # shared safe-outputs policies +│ ├── dependabot.md # dependency management +│ └── shared/ +│ ├── mcp-config.md # shared MCP server definitions +│ └── safety-policy.md # shared safe-outputs policies └── aw.yml # optional: enables gh aw add installs ``` @@ -152,8 +152,8 @@ includes: - .github/workflows/triage.md - .github/workflows/quality-monitor.md - .github/workflows/dependabot.md - - shared/mcp-config.md - - shared/safety-policy.md + - .github/workflows/shared/mcp-config.md + - .github/workflows/shared/safety-policy.md ``` A consuming repository installs a specific workflow: From 59462aa5c29e51449d42c4b25693d5caee764f2d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 00:58:54 +0000 Subject: [PATCH 5/7] docs: remove aw.yml distribution section from agentic factory Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../content/docs/patterns/central-repo-ops.md | 50 ++++--------------- 1 file changed, 10 insertions(+), 40 deletions(-) diff --git a/docs/src/content/docs/patterns/central-repo-ops.md b/docs/src/content/docs/patterns/central-repo-ops.md index 63c91d266d3..772272dc07f 100644 --- a/docs/src/content/docs/patterns/central-repo-ops.md +++ b/docs/src/content/docs/patterns/central-repo-ops.md @@ -96,21 +96,20 @@ This makes the central repo an **agentic factory**: a self-contained, production ### Template Repository Structure -A factory repository is self-contained: the `README.md` is the activation manual, and the workflows under `.github/workflows/` are ready to run once secrets are configured. An `aw.yml` manifest can be added later to enable `gh aw add` installs — but the factory works without one. +A factory repository is self-contained: the `README.md` is the activation manual, and the workflows under `.github/workflows/` are ready to run once secrets are configured. ``` agentic-workflows/ ├── README.md # activation manual (secrets, setup, verify) -├── .github/ -│ └── workflows/ -│ ├── rollout.md # org-wide rollout orchestrator -│ ├── triage.md # cross-repo issue triage -│ ├── quality-monitor.md # code quality monitoring -│ ├── dependabot.md # dependency management -│ └── shared/ -│ ├── mcp-config.md # shared MCP server definitions -│ └── safety-policy.md # shared safe-outputs policies -└── aw.yml # optional: enables gh aw add installs +└── .github/ + └── workflows/ + ├── rollout.md # org-wide rollout orchestrator + ├── triage.md # cross-repo issue triage + ├── quality-monitor.md # code quality monitoring + ├── dependabot.md # dependency management + └── shared/ + ├── mcp-config.md # shared MCP server definitions + └── safety-policy.md # shared safe-outputs policies ``` Mark the repository as a [GitHub template repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-template-repository) so anyone in the organization can instantiate a personal copy in one click without carrying over existing workflow runs or secrets. @@ -138,39 +137,10 @@ The `README.md` should include a complete secrets checklist so anyone instantiat Once secrets are in place, all scheduled workflows activate automatically and the factory is producing. -### Optional: Distribution via `aw.yml` - -Adding an `aw.yml` manifest is optional but enables teams to install individual workflows from the factory using `gh aw add` rather than cloning or forking the whole repository: - -```yaml -name: Acme Org Agentic Factory -emoji: 🏭 -description: Standard agentic workflows for Acme org repositories -min-version: v0.40.0 -includes: - - .github/workflows/rollout.md - - .github/workflows/triage.md - - .github/workflows/quality-monitor.md - - .github/workflows/dependabot.md - - .github/workflows/shared/mcp-config.md - - .github/workflows/shared/safety-policy.md -``` - -A consuming repository installs a specific workflow: - -```bash -gh aw add acme-org/agentic-workflows/triage@v1.0.0 -``` - -Pin consumers to a release tag for stability. As the factory evolves, run `gh aw update` in consuming repositories to pull in upstream changes with a 3-way merge that preserves local edits. - -See [Sharing Workflows in the Organization](/gh-aw/practices/sharing-workflows/) for versioning strategy, governance recommendations, and the recommended enterprise pattern for a central `agentic-workflows` repository. - ## Related Documentation - [MultiRepoOps](/gh-aw/patterns/multi-repo-ops/) — Side repo and downstream sync patterns - [Sharing Workflows in the Organization](/gh-aw/practices/sharing-workflows/) — Versioning, governance, and enterprise patterns -- [Package Manifest (aw.yml)](/gh-aw/reference/aw-yml-package-manifest/) — Manifest format for installable packages - [Dependabot Rollout](/gh-aw/examples/multi-repo/dependabot-rollout/) — End-to-end org-wide rollout example - [Cross-Repo Issue Tracking](/gh-aw/examples/multi-repo/issue-tracking/) — Aggregated issue tracking example - [Cross-Repository Safe Outputs](/gh-aw/reference/cross-repository/) — Configuration reference From 89f707d05f5f7e9d03a1c08527292770ac085bf4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 01:39:00 +0000 Subject: [PATCH 6/7] docs: remove subsections from agentic factory section per review Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../content/docs/patterns/central-repo-ops.md | 43 ------------------- 1 file changed, 43 deletions(-) diff --git a/docs/src/content/docs/patterns/central-repo-ops.md b/docs/src/content/docs/patterns/central-repo-ops.md index 772272dc07f..81d56730098 100644 --- a/docs/src/content/docs/patterns/central-repo-ops.md +++ b/docs/src/content/docs/patterns/central-repo-ops.md @@ -94,49 +94,6 @@ Beyond dispatching work and aggregating events, the central repository can serve This makes the central repo an **agentic factory**: a self-contained, production-ready bundle that any team can instantiate with minimal effort. -### Template Repository Structure - -A factory repository is self-contained: the `README.md` is the activation manual, and the workflows under `.github/workflows/` are ready to run once secrets are configured. - -``` -agentic-workflows/ -├── README.md # activation manual (secrets, setup, verify) -└── .github/ - └── workflows/ - ├── rollout.md # org-wide rollout orchestrator - ├── triage.md # cross-repo issue triage - ├── quality-monitor.md # code quality monitoring - ├── dependabot.md # dependency management - └── shared/ - ├── mcp-config.md # shared MCP server definitions - └── safety-policy.md # shared safe-outputs policies -``` - -Mark the repository as a [GitHub template repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-template-repository) so anyone in the organization can instantiate a personal copy in one click without carrying over existing workflow runs or secrets. - -### Secrets Checklist - -The `README.md` should include a complete secrets checklist so anyone instantiating the factory knows exactly what to configure. A typical factory needs: - -| Secret | Purpose | -| ------ | ------- | -| `ANTHROPIC_API_KEY` / `GEMINI_API_KEY` | AI engine for agent runs | -| `GH_AW_READ_ORG_TOKEN` | Read org metadata and repository list | -| `GH_AW_CROSS_REPO_PAT` | Write safe outputs to target repositories | -| `ORG_REPO_CHECKOUT_TOKEN` | Check out target repositories for workers | - -> [!TIP] -> Use a GitHub App rather than PATs for cross-repository tokens where possible. GitHub Apps provide automatic token rotation and fine-grained per-repository scoping. See [Authentication](/gh-aw/reference/auth/) for setup. - -### Activation: Drop In, Configure, Run - -1. **Instantiate** — Create a new repository from the factory template in the target org (or fork it for independent configuration). -2. **Configure** — Add the required secrets to the new repository's **Settings → Secrets → Actions**. -3. **Enable Actions** — Confirm GitHub Actions is enabled for the repository and that scheduled workflows are not paused. -4. **Verify** — Trigger a `workflow_dispatch` on one workflow to confirm end-to-end connectivity before the first scheduled run fires. - -Once secrets are in place, all scheduled workflows activate automatically and the factory is producing. - ## Related Documentation - [MultiRepoOps](/gh-aw/patterns/multi-repo-ops/) — Side repo and downstream sync patterns From b57790db202e058c764b5085a33bd7f1f1aab1c0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 03:12:00 +0000 Subject: [PATCH 7/7] chore: recompile lock files after merging main Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agent-performance-analyzer.lock.yml | 3 ++- .github/workflows/audit-workflows.lock.yml | 3 ++- .github/workflows/ci-coach.lock.yml | 3 ++- .github/workflows/daily-compiler-quality.lock.yml | 3 ++- .github/workflows/daily-max-ai-credits-test.lock.yml | 3 ++- .github/workflows/daily-observability-report.lock.yml | 3 ++- .github/workflows/daily-regulatory.lock.yml | 3 ++- .github/workflows/daily-safe-output-optimizer.lock.yml | 3 ++- .github/workflows/daily-team-evolution-insights.lock.yml | 3 ++- .github/workflows/pr-triage-agent.lock.yml | 3 ++- .github/workflows/safe-output-health.lock.yml | 3 ++- .github/workflows/schema-consistency-checker.lock.yml | 3 ++- .github/workflows/workflow-health-manager.lock.yml | 3 ++- 13 files changed, 26 insertions(+), 13 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 7d3fd4aff45..02facc3702e 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1596,7 +1596,8 @@ jobs: export GH_AW_NODE_BIN export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK" (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","registry.npmjs.org","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 00953497316..64342e8df70 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1671,7 +1671,8 @@ jobs: printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt touch /tmp/gh-aw/agent-step-summary.md (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","anthropic.com","api.anthropic.com","api.github.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","cdn.playwright.dev","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","files.pythonhosted.org","ghcr.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","playwright.download.prss.microsoft.com","ppa.launchpad.net","pypi.org","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","sentry.io","statsig.anthropic.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.githubusercontent.com\",\"anthropic.com\",\"api.anthropic.com\",\"api.github.com\",\"api.snapcraft.io\",\"archive.ubuntu.com\",\"azure.archive.ubuntu.com\",\"cdn.playwright.dev\",\"codeload.github.com\",\"crl.geotrust.com\",\"crl.globalsign.com\",\"crl.identrust.com\",\"crl.sectigo.com\",\"crl.thawte.com\",\"crl.usertrust.com\",\"crl.verisign.com\",\"crl3.digicert.com\",\"crl4.digicert.com\",\"crls.ssl.com\",\"files.pythonhosted.org\",\"ghcr.io\",\"github-cloud.githubusercontent.com\",\"github-cloud.s3.amazonaws.com\",\"github.com\",\"host.docker.internal\",\"json-schema.org\",\"json.schemastore.org\",\"keyserver.ubuntu.com\",\"lfs.github.com\",\"objects.githubusercontent.com\",\"ocsp.digicert.com\",\"ocsp.geotrust.com\",\"ocsp.globalsign.com\",\"ocsp.identrust.com\",\"ocsp.sectigo.com\",\"ocsp.ssl.com\",\"ocsp.thawte.com\",\"ocsp.usertrust.com\",\"ocsp.verisign.com\",\"packagecloud.io\",\"packages.cloud.google.com\",\"packages.microsoft.com\",\"playwright.download.prss.microsoft.com\",\"ppa.launchpad.net\",\"pypi.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"s.symcb.com\",\"s.symcd.com\",\"security.ubuntu.com\",\"sentry.io\",\"statsig.anthropic.com\",\"ts-crl.ws.symantec.com\",\"ts-ocsp.ws.symantec.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 1929b6d6f23..3060c4533fe 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1505,7 +1505,8 @@ jobs: export GH_AW_NODE_BIN export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK" (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","registry.npmjs.org","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":50000},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index b79f385ef1d..00461099c52 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -1555,7 +1555,8 @@ jobs: export GH_AW_NODE_BIN export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK" (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","registry.npmjs.org","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1000},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/daily-max-ai-credits-test.lock.yml b/.github/workflows/daily-max-ai-credits-test.lock.yml index cc1a8c911f6..67b96e1e046 100644 --- a/.github/workflows/daily-max-ai-credits-test.lock.yml +++ b/.github/workflows/daily-max-ai-credits-test.lock.yml @@ -1297,7 +1297,8 @@ jobs: export GH_AW_NODE_BIN export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK" (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","registry.npmjs.org","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 2ff00e4781f..4aee509cb85 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1564,7 +1564,8 @@ jobs: printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt mkdir -p "$CODEX_HOME/logs" && touch /tmp/gh-aw/agent-step-summary.md && mkdir -p /tmp/gh-aw/threat-detection && printf '%s' '{"type":"object","properties":{"prompt_injection":{"type":"boolean"},"secret_leak":{"type":"boolean"},"malicious_patch":{"type":"boolean"},"reasons":{"type":"array","items":{"type":"string"}}},"required":["prompt_injection","secret_leak","malicious_patch","reasons"],"additionalProperties":false}' > /tmp/gh-aw/threat-detection/detection_schema.json (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["172.30.0.1","api.openai.com","chatgpt.com","host.docker.internal","openai.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"172.30.0.1\",\"api.openai.com\",\"chatgpt.com\",\"host.docker.internal\",\"openai.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index ece000c9829..384c93dd705 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1887,7 +1887,8 @@ jobs: export GH_AW_NODE_BIN export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK" (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","registry.npmjs.org","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1000},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 24320c22c4e..03e0e149804 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1690,7 +1690,8 @@ jobs: printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt touch /tmp/gh-aw/agent-step-summary.md (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","anthropic.com","api.anthropic.com","api.github.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","cdn.playwright.dev","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","files.pythonhosted.org","ghcr.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","playwright.download.prss.microsoft.com","ppa.launchpad.net","pypi.org","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","sentry.io","statsig.anthropic.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.githubusercontent.com\",\"anthropic.com\",\"api.anthropic.com\",\"api.github.com\",\"api.snapcraft.io\",\"archive.ubuntu.com\",\"azure.archive.ubuntu.com\",\"cdn.playwright.dev\",\"codeload.github.com\",\"crl.geotrust.com\",\"crl.globalsign.com\",\"crl.identrust.com\",\"crl.sectigo.com\",\"crl.thawte.com\",\"crl.usertrust.com\",\"crl.verisign.com\",\"crl3.digicert.com\",\"crl4.digicert.com\",\"crls.ssl.com\",\"files.pythonhosted.org\",\"ghcr.io\",\"github-cloud.githubusercontent.com\",\"github-cloud.s3.amazonaws.com\",\"github.com\",\"host.docker.internal\",\"json-schema.org\",\"json.schemastore.org\",\"keyserver.ubuntu.com\",\"lfs.github.com\",\"objects.githubusercontent.com\",\"ocsp.digicert.com\",\"ocsp.geotrust.com\",\"ocsp.globalsign.com\",\"ocsp.identrust.com\",\"ocsp.sectigo.com\",\"ocsp.ssl.com\",\"ocsp.thawte.com\",\"ocsp.usertrust.com\",\"ocsp.verisign.com\",\"packagecloud.io\",\"packages.cloud.google.com\",\"packages.microsoft.com\",\"playwright.download.prss.microsoft.com\",\"ppa.launchpad.net\",\"pypi.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"s.symcb.com\",\"s.symcd.com\",\"security.ubuntu.com\",\"sentry.io\",\"statsig.anthropic.com\",\"ts-crl.ws.symantec.com\",\"ts-ocsp.ws.symantec.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 00ff31b22a2..6870dd38b53 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -1439,7 +1439,8 @@ jobs: printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt touch /tmp/gh-aw/agent-step-summary.md (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","anthropic.com","api.anthropic.com","api.github.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","cdn.playwright.dev","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","files.pythonhosted.org","ghcr.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","playwright.download.prss.microsoft.com","ppa.launchpad.net","pypi.org","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","sentry.io","statsig.anthropic.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.githubusercontent.com\",\"anthropic.com\",\"api.anthropic.com\",\"api.github.com\",\"api.snapcraft.io\",\"archive.ubuntu.com\",\"azure.archive.ubuntu.com\",\"cdn.playwright.dev\",\"codeload.github.com\",\"crl.geotrust.com\",\"crl.globalsign.com\",\"crl.identrust.com\",\"crl.sectigo.com\",\"crl.thawte.com\",\"crl.usertrust.com\",\"crl.verisign.com\",\"crl3.digicert.com\",\"crl4.digicert.com\",\"crls.ssl.com\",\"files.pythonhosted.org\",\"ghcr.io\",\"github-cloud.githubusercontent.com\",\"github-cloud.s3.amazonaws.com\",\"github.com\",\"host.docker.internal\",\"json-schema.org\",\"json.schemastore.org\",\"keyserver.ubuntu.com\",\"lfs.github.com\",\"objects.githubusercontent.com\",\"ocsp.digicert.com\",\"ocsp.geotrust.com\",\"ocsp.globalsign.com\",\"ocsp.identrust.com\",\"ocsp.sectigo.com\",\"ocsp.ssl.com\",\"ocsp.thawte.com\",\"ocsp.usertrust.com\",\"ocsp.verisign.com\",\"packagecloud.io\",\"packages.cloud.google.com\",\"packages.microsoft.com\",\"playwright.download.prss.microsoft.com\",\"ppa.launchpad.net\",\"pypi.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"s.symcb.com\",\"s.symcd.com\",\"security.ubuntu.com\",\"sentry.io\",\"statsig.anthropic.com\",\"ts-crl.ws.symantec.com\",\"ts-ocsp.ws.symantec.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 9a86499a189..83ef082e04d 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1530,7 +1530,8 @@ jobs: export GH_AW_NODE_BIN export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK" (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","registry.npmjs.org","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 5e8e9555ee4..f96999bb3eb 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1596,7 +1596,8 @@ jobs: printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt touch /tmp/gh-aw/agent-step-summary.md (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","anthropic.com","api.anthropic.com","api.github.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","cdn.playwright.dev","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","files.pythonhosted.org","ghcr.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","playwright.download.prss.microsoft.com","ppa.launchpad.net","pypi.org","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","sentry.io","statsig.anthropic.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.githubusercontent.com\",\"anthropic.com\",\"api.anthropic.com\",\"api.github.com\",\"api.snapcraft.io\",\"archive.ubuntu.com\",\"azure.archive.ubuntu.com\",\"cdn.playwright.dev\",\"codeload.github.com\",\"crl.geotrust.com\",\"crl.globalsign.com\",\"crl.identrust.com\",\"crl.sectigo.com\",\"crl.thawte.com\",\"crl.usertrust.com\",\"crl.verisign.com\",\"crl3.digicert.com\",\"crl4.digicert.com\",\"crls.ssl.com\",\"files.pythonhosted.org\",\"ghcr.io\",\"github-cloud.githubusercontent.com\",\"github-cloud.s3.amazonaws.com\",\"github.com\",\"host.docker.internal\",\"json-schema.org\",\"json.schemastore.org\",\"keyserver.ubuntu.com\",\"lfs.github.com\",\"objects.githubusercontent.com\",\"ocsp.digicert.com\",\"ocsp.geotrust.com\",\"ocsp.globalsign.com\",\"ocsp.identrust.com\",\"ocsp.sectigo.com\",\"ocsp.ssl.com\",\"ocsp.thawte.com\",\"ocsp.usertrust.com\",\"ocsp.verisign.com\",\"packagecloud.io\",\"packages.cloud.google.com\",\"packages.microsoft.com\",\"playwright.download.prss.microsoft.com\",\"ppa.launchpad.net\",\"pypi.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"s.symcb.com\",\"s.symcd.com\",\"security.ubuntu.com\",\"sentry.io\",\"statsig.anthropic.com\",\"ts-crl.ws.symantec.com\",\"ts-ocsp.ws.symantec.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 618097ee4c7..ebc757e09c3 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -1491,7 +1491,8 @@ jobs: printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt touch /tmp/gh-aw/agent-step-summary.md (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","anthropic.com","api.anthropic.com","api.github.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","cdn.playwright.dev","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","files.pythonhosted.org","ghcr.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","playwright.download.prss.microsoft.com","ppa.launchpad.net","pypi.org","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","sentry.io","statsig.anthropic.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.githubusercontent.com\",\"anthropic.com\",\"api.anthropic.com\",\"api.github.com\",\"api.snapcraft.io\",\"archive.ubuntu.com\",\"azure.archive.ubuntu.com\",\"cdn.playwright.dev\",\"codeload.github.com\",\"crl.geotrust.com\",\"crl.globalsign.com\",\"crl.identrust.com\",\"crl.sectigo.com\",\"crl.thawte.com\",\"crl.usertrust.com\",\"crl.verisign.com\",\"crl3.digicert.com\",\"crl4.digicert.com\",\"crls.ssl.com\",\"files.pythonhosted.org\",\"ghcr.io\",\"github-cloud.githubusercontent.com\",\"github-cloud.s3.amazonaws.com\",\"github.com\",\"host.docker.internal\",\"json-schema.org\",\"json.schemastore.org\",\"keyserver.ubuntu.com\",\"lfs.github.com\",\"objects.githubusercontent.com\",\"ocsp.digicert.com\",\"ocsp.geotrust.com\",\"ocsp.globalsign.com\",\"ocsp.identrust.com\",\"ocsp.sectigo.com\",\"ocsp.ssl.com\",\"ocsp.thawte.com\",\"ocsp.usertrust.com\",\"ocsp.verisign.com\",\"packagecloud.io\",\"packages.cloud.google.com\",\"packages.microsoft.com\",\"playwright.download.prss.microsoft.com\",\"ppa.launchpad.net\",\"pypi.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"s.symcb.com\",\"s.symcd.com\",\"security.ubuntu.com\",\"sentry.io\",\"statsig.anthropic.com\",\"ts-crl.ws.symantec.com\",\"ts-ocsp.ws.symantec.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index df953f57422..b3dd854e377 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1494,7 +1494,8 @@ jobs: export GH_AW_NODE_BIN export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK" (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log) - printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","registry.npmjs.org","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxAiCredits":1500},"container":{"imageTag":"0.27.0"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}" + printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.0/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json"